--- slug: the-nuclear-option-no-more-unsafe-inline title: "The Nuclear Option (No More unsafe-inline)" date: "2021-10-25T18:50:13-04:00" draft: false --- As you can see from the [last post][], I went with the nuclear option and created a [Hugo table shortcode][git], then did the following: 1. Updated all the tables on the site to use the new [table shortcode][git]. 2. Removed `style-src 'self' 'unsafe-inline'` from the [`Content-Security-Policy` header][csp]. 3. Re-ran the [Security Headers][securityheaders] scan. Here is the updated [`Content-Security-Policy`][csp] from the [Apache][] config: ```apache # look ma, no unsafe-inline! Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" ```   And here is the updated [Security Headers][securityheaders] scan result: [{{< figure src="/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png" class=image width=1218 height=248 caption=" Updated Security Headers scan result." >}}][securityheaders-results] [previous post]: {{< relref "posts/2021-10-25-table-shortcode-for-hugo.md" >}} "Release announcement for hugo-shortcode-table." [git]: https://pablotron.org/pablotron/hugo-shortcode-table "Table shortcode for hugo." [securityheaders]: https://securityheaders.com/ "HTTP response header scanner." [securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP "Content-Security-Policy HTTP response header" [apache]: https://apache.org/ "Apache web server."