Content security policy Issue for ZAP scan with -unsafe-inline' option

In my application, I am configuring the Content Security Policy for script-src and style-src. When I include the 'unsafe-inline' option, it raises a vulnerability issue during the ZAP security scan. To address this, I removed all inline styles and scripts from the application. However, we are still encountering the same issue.

I created a sample Angular project, but I'm facing the same problem there as well. Can we set a Content Security Policy without using the 'unsafe-inline' option?

https://github.com/vinuvatassery/CSP-Implementation-main

Note: I have also tried using SHA and nonce, but those solutions are not working either.

Continue reading...