Why CSP shows 'unsafe-inline' (for style only, as of v3.8.128)

Status update — v3.8.128

As of release v3.8.128, your site's CSP no longer allows inline scripts. Mozilla Observatory and other security scanners should now show a higher CSP grade than before. The Health-page "CSP unsafe-inline" recommendation should resolve on the next scan.

The CSP still allows inline styles (style="..." attributes in HTML), and that's intentional — rewriting every AI-generated site's inline styles into external CSS is a much larger refactor with much smaller security upside, so we're keeping that one for now.

How we got here

Your site used to run a few small inline <script> blocks:

• The contact form submit handler (validates inputs, POSTs to our API).
• The Google Analytics gtag bootstrap (if you connected GA).

Browsers won't run inline scripts unless the CSP whitelists them via 'unsafe-inline'. We did that for a long time — it kept the customer experience simple — but security scanners (correctly) marked the policy as weaker than ideal.

In v3.8.125 we externalized the contact-form handler to a per-site JS file. In v3.8.126 we externalized the GA bootstrap the same way. In v3.8.127 we ran a fleet-wide backfill that re-applied both changes to every existing customer site. In v3.8.128 we dropped 'unsafe-inline' from script-src in the CSP.

What this means for you

Nothing changes in how your site looks or behaves. Visitors don't notice anything different. The submit form still works; GA still tracks; the rest of your site is unaffected.

If a scanner re-runs against your site, the CSP grade should jump from B/C to A. The Health-page recommendation should auto-resolve once the next scan runs (or you can hit "Rescan" to refresh sooner).

Why we still allow inline styles

Bedrock generates lots of <div style="color: blue; ..."> style attributes. Pulling every inline style out into external CSS is much larger work for much smaller security benefit — inline styles can't fetch external resources or run code, so the attack surface is limited to "what could a malicious actor change about my page's appearance," not "what could they steal."

If you have a regulatory requirement that mandates absolutely-strict CSP (PCI-DSS Level 1, certain healthcare frameworks), email support@siteglowup.ai — we can move your site to a stricter variant.