Document minimal Content-Security-Policy?

[cyphar]

Is it possible for there to be documentation on exactly what the minimal CSP is if you use docsy as your Hugo theme? It's a requirement of the Core Infrastructure Initative's Best Practices that project websites have the correct security headers set, and most Hugo themes I've seen don't seem to specify whether they require things like unsafe-inline or unsafe-eval (and many of them do).

[LisaFC]

@emckean, can you look into this? Thanks!

[sawp-d]

Is there any update on this? I just started using Docsy and love it, though I'm a bit unsure how to set a CSP header when it looks like there may be many URIs to use. Or do you have any suggestions on disabling inline style and moving to external CSS?