Inline scripts lack CSP nonce or hash

Your site has small scripts embedded directly in the page HTML (called "inline scripts") that are missing a security fingerprint — either a nonce (a one-time code added to each page load) or a hash (a unique identifier of the script's exact content). These fingerprints are required for a strict Content Security Policy (CSP) to work. A Content Security Policy is a browser-enforced security layer that blocks unauthorised scripts from running — one of the most effective defences against cross-site scripting (XSS) attacks, where attackers inject malicious code into your pages. Without nonces or hashes on inline scripts, you can't enforce a strict CSP, leaving this protection gap open. Ask your developer to either move inline scripts to external files, or add a server-generated nonce attribute to each inline script tag and configure your CSP header to allow scripts matching that nonce. This is a technical change but a high-value security improvement.