diff --git a/client-sdks/reference/javascript-web.mdx b/client-sdks/reference/javascript-web.mdx
index bbfe1093..f35489ea 100644
--- a/client-sdks/reference/javascript-web.mdx
+++ b/client-sdks/reference/javascript-web.mdx
@@ -351,6 +351,35 @@ pnpm upgrade @powersync/web @journeyapps/wa-sqlite
 
 ## Developer Notes
 
+### Content Security Policy (CSP)
+
+<Warning>
+**Required for Production:** Your Content Security Policy `script-src` directive must include `'wasm-unsafe-eval'` for PowerSync to work, particularly in Safari.
+</Warning>
+
+PowerSync Web SDK requires the `wasm-unsafe-eval` directive in your Content Security Policy headers to function correctly.
+
+**Why it's required:**
+
+PowerSync uses [wa-sqlite](https://www.npmjs.com/package/@journeyapps/wa-sqlite), which requires WebAssembly compilation at runtime to bind JavaScript functions to SQLite internals. Without `wasm-unsafe-eval`, browsers will block WebAssembly module instantiation, preventing PowerSync from functioning.
+
+**Proper CSP configuration:**
+
+```
+Content-Security-Policy: script-src 'self' 'wasm-unsafe-eval';
+```
+
+**Security considerations:**
+
+- `wasm-unsafe-eval` only permits WebAssembly compilation (NOT JavaScript `eval()`)
+- This is more secure than `unsafe-eval`, which permits both WASM and JavaScript eval
+- It's the industry-standard directive for WASM-based applications
+- WebAssembly has strong security boundaries and memory isolation
+
+<Note>
+Safari's strict CSP enforcement will block PowerSync functionality if this directive is missing. Modern browsers (Safari 15.2+, Chrome 95+, Firefox 102+) all support `wasm-unsafe-eval`.
+</Note>
+
 ### Connection Methods
 
 This SDK supports two methods for streaming sync commands: