Extends Cake\Http\Middleware\CspMiddleware to support nonce.

NonceCspMiddleware.php

<?php

namespace App\Middleware;

use Cake\Http\Middleware\CspMiddleware;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;

class NonceCspMiddleware extends CspMiddleware
{
    /**
     * Serve assets if the path matches one. Generate nonce for <script>
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request The request.
     * @param \Psr\Http\Server\RequestHandlerInterface $handler The request handler.
     * @return \Psr\Http\Message\ResponseInterface A response.
     */
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $nonce = $this->csp->nonce('script-src');
        $request = $request->withAttribute('cspScriptNonce', $nonce);

        $response = $handler->handle($request);

        // phpcs:ignore SlevomatCodingStandard.Commenting.InlineDocCommentDeclaration.InvalidFormat
        /** @var \Psr\Http\Message\ResponseInterface */
        return $this->csp->injectCSPHeader($response);
    }
}

Supports CakePHP v4.x

Add nonce attribute to all the <script> tags in your templates.
<script nonce="<?= $this->getRequest()->getAttribute('cspScriptNonce') ?>">