Is it possible for there to be documentation on exactly what the minimal CSP is if you use docsy as your Hugo theme? It's a requirement of the Core Infrastructure Initative's Best Practices that project websites have the correct security headers set, and most Hugo themes I've seen don't seem to specify whether they require things like unsafe-inline or unsafe-eval (and many of them do).