Insecure Script-src and Style-src

Hi Dylan,

For script-src, I am using an ‘unsafe-eval’ ‘unsafe-inline’ value
For style-src, I am using only an ‘unsafe-inline’ value

However, according to hardenize.com, these parameters shouldn’t be used because it renables insecure behavior that CSP disables by default. Here’s a more in-depth explanation as to why this website doesn’t recommended these values:

Script-src, unsafe-eval: By default, CSP doesn’t allow dynamic script execution via eval and friends, but this policy overrides that behavior by specifyin ‘unsafe-eval’ in the ‘script-src’ directive. As a result, XSS defenses provided by CSP are significantly weakened.

Script-src, unsafe-inline: By default, CSP doesn’t allow inline script execution, but this policy overrides that behavior by specifying ‘unsafe-inline’ in the ‘script-src’ directive. As a result, all XSS defenses provided by CSP are significantly weakened.

Style-src, unsafe-line: This policy allows inline styles. Although they are not as bad as inline scripts in terms of security, an injection bug in script area would allow the attacker to modify page appearance.

Do you have any sound recommendations to address these security concerns? If I delete these values, I end up getting many errors.

Thanks for the help like always and I apologize for taking so much of your time!

All my best,

Joe