Deployed my nextjs app as a static app with output: "export". set my cloudfront's csp header script-src: 'self', it won't run because it's saying inline-scripts couldn't execute. If I add 'unsafe-inline', it would run but a VAPT still marks it as a medium risk so they wouldn't give a certificate. I'm not exactly sure where I am using an inline script. I'm sure that I'm not using dangerouslySetInnerHTML though.
Question: How do I add a nonce, maybe using aws, to my static nextjs app or is there any other way to introduce an inline-script?
Note: there are a couple of document.getElement, .querySelector, etc. But I've asked AI and said it wouldn't necessarily introduce an inline-script and therefore wouldn't violate script-src: 'self'. I've also given it all of my package.json and said no other libraries inherently introduce inline scripts.