Problem
The CSP includes script-src 'self' 'unsafe-inline' use.typekit.net ... and style-src 'self' 'unsafe-inline' .... Not an SEO ranking factor, but 'unsafe-inline' weakens XSS protection. (The rest of the header set is excellent: HSTS, nosniff, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy.)
Fix
Move to a nonce/hash-based CSP for the inline Typekit loader; optionally add preload to HSTS.
Files: netlify.toml / static/_headers
Found by /seo audit (technical), 2026-05-29.
Problem
The CSP includes
script-src 'self' 'unsafe-inline' use.typekit.net ...andstyle-src 'self' 'unsafe-inline' .... Not an SEO ranking factor, but'unsafe-inline'weakens XSS protection. (The rest of the header set is excellent: HSTS, nosniff, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy.)Fix
Move to a nonce/hash-based CSP for the inline Typekit loader; optionally add
preloadto HSTS.Files:
netlify.toml/static/_headersFound by /seo audit (technical), 2026-05-29.