I have done the first development of a website and deployment. Scanning the server with an online security evaluation tool I was recommended that I add a Content security Policy to the website, and I understand that this can help with XSS. But I read that this will disable inline CSS styles.
I have used inline CSS freely all over the website. Did not know this was a bad thing. (eg: div style=”width:100%;”). If I was to find and transfer all inline CSS to file it would take too long.
However I am only taking input from user in 3 pages. One is a feedback form that stores data on server only. One is a contact form that does not store data only send an email(collects user email address). The comments page takes comment input, stores the data, it retrieves and displays entries that have been cleared by admin. The other pages are mostly displaying static content.
I’m assuming comments page is the priority (is this right?). Would it work if I put CSP declarations (? default-src: https:) to the above three pages only (and remove inline CSS). and the others have inline enabled (? default-src: https: ‘unsafe-inline’) ?