CSP script-src allows 'unsafe-inline' without 'strict-dynamic'

Your Content Security Policy (CSP) allows 'unsafe-inline' in the script-src directive, meaning inline JavaScript embedded directly in your HTML can run freely. The 'strict-dynamic' compensating control is not present. unsafe-inline is one of the most common ways CSP is bypassed in cross-site scripting (XSS) attacks. If an attacker can inject a small piece of inline script — through a comment field, URL parameter, or third-party widget — it will execute without restriction. Remove unsafe-inline from script-src and replace it with nonce-based or hash-based script approval. Add strict-dynamic alongside the nonce or hash so that scripts loaded by approved scripts are also trusted. A developer can usually implement this in a focused session.