CSP script-src contains 'unsafe-inline' or 'unsafe-eval' with no compensating nonce / hash / strict-dynamic

Your Content Security Policy (CSP) — the set of rules controlling what scripts can run on your site — includes 'unsafe-inline' or 'eval', and does not use a nonce, hash, or strict-dynamic to compensate. This means injected scripts can execute freely. CSP exists specifically to prevent cross-site scripting (XSS) attacks, where malicious code is injected into your pages. Allowing unsafe-inline without compensation largely defeats that protection, leaving visitors exposed to script injection despite having a policy in place. Remove unsafe-inline and unsafe-eval from your script-src directive. Replace them with nonces (a unique token per page load) or hashes for each approved script, and add strict-dynamic. A developer familiar with your framework can usually make this change in a focused session.