CSP has script-src but no 'strict-dynamic' (modern best practice)

Your Content Security Policy (CSP) lists specific approved domains for scripts, but does not use the modern 'strict-dynamic' approach. Strict-dynamic, combined with a nonce or hash, is the current best-practice pattern for blocking script injection attacks. A domain allowlist in CSP can be bypassed if any trusted domain hosts untrusted content (common with CDNs). Strict-dynamic removes that gap by trusting individual approved scripts rather than entire domains, making the policy much harder to circumvent. Work with your developer to switch from a domain-based script allowlist to a nonce or hash-based approach, then add 'strict-dynamic' to your script-src directive. Most modern frameworks can generate nonces automatically per request.