A practical guide to strict Content Security Policy: nonces, hashes, strict-dynamic, Trusted Types, reporting, and the deployment path that avoids breaking production.