diff --git a/app/Http/Middleware/ContentSecurityPolicy.php b/app/Http/Middleware/ContentSecurityPolicy.php
index 145f576..4b61f49 100644
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -118,7 +118,11 @@ class ContentSecurityPolicy
         $styleSources[] = 'data:';
         $connectSources[] = 'https:';
         $fontSources[] = 'https:';
-        $styleElemSources = array_unique(array_merge($styleSources, ["'unsafe-inline'"]));
+        $styleElemSources = array_values(array_filter(
+            $styleSources,
+            static fn (string $source): bool => ! str_starts_with($source, "'nonce-")
+        ));
+        $styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
 
         $directives = [
             'default-src' => ["'self'"],
diff --git a/tests/Feature/SecurityHeadersTest.php b/tests/Feature/SecurityHeadersTest.php
index 561b99d..0da3fe0 100644
--- a/tests/Feature/SecurityHeadersTest.php
+++ b/tests/Feature/SecurityHeadersTest.php
@@ -37,7 +37,7 @@ class SecurityHeadersTest extends TestCase
             $response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
             $response->assertHeader('Content-Security-Policy');
             $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
-            $response->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr");
+            $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self' https: data: 'unsafe-inline'");
             $response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
             $response->assertCookie('XSRF-TOKEN');
 
@@ -49,7 +49,7 @@ class SecurityHeadersTest extends TestCase
             $login->assertOk();
             $login->assertHeader('Content-Security-Policy');
             $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
-            $login->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr");
+            $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self' https: data: 'unsafe-inline'");
             $login->assertHeader('X-Frame-Options', 'SAMEORIGIN');
             $login->assertCookie('XSRF-TOKEN');
         } finally {