diff --git a/runtime/src/server/middleware/get_page_handler.ts b/runtime/src/server/middleware/get_page_handler.ts
index 202e96b88..8fee1062f 100644
--- a/runtime/src/server/middleware/get_page_handler.ts
+++ b/runtime/src/server/middleware/get_page_handler.ts
@@ -341,7 +341,7 @@ export function get_page_handler(
.map(href => ``)
.join('');
} else {
- styles = (css && css.code ? `` : '');
+ styles = (css && css.code ? `${css.code}` : '');
}
const body = template()
diff --git a/site/content/docs/12-security.md b/site/content/docs/12-security.md
index 036568162..964e0748e 100644
--- a/site/content/docs/12-security.md
+++ b/site/content/docs/12-security.md
@@ -6,9 +6,9 @@ By default, Sapper does not add security headers to your app, but you may add th
### Content Security Policy (CSP)
-Sapper generates inline `