In FacetWP v4.5+, and add-ons released after that, all inline scripts are added with WP’s wp_print_inline_script_tag() function. This makes it possible to use FacetWP on sites that use a Strict Content Security Policy (CSP) to mitigate cross-site scripting (XSS).
Cross-site scripting (XSS), the ability to inject malicious scripts into a web app, is one of the biggest web security vulnerabilities.
Content Security Policy (CSP) is an added layer of security that helps to mitigate XSS. To configure a CSP, a Content-Security-Policy HTTP header needs to be added to a web page and values need to be set that control what resources the browser can load for that page.
With a “nonce-based” CSP, a random number is generated at runtime, included in the CSP, and then associated with every <script> tag on the page, with a nonce attribute containing the same random number. An attacker then can’t include or run a malicious script in the page, because they would need to guess the correct random number for that script. To learn more about Strict CSP, here is an article on web.dev with a good explanation.
The wp_print_inline_script_tag() function that FacetWP (v4.5+) and most plugins and themes use, provides two filter hooks to add a nonce attribute to the inline <script> tag that it prints on the page: wp_script_attributes and wp_inline_script_attributes.
The easiest way to implement a Strict Content Security Policy (CSP) on the frontend and login screen of your site is to use a plugin like Strict CSP, or this mu-plugin.
To do this manually, or for more control, you could start with the following boilerplate code, which has a lot of explanatory comments and examples for directives to set:
[boilerplate-csp]