Ensure CSP is effective against XSS attacks

[ninjulia]

Issue

• As per Lighthouse review:

Description	Directive	Severity
Host allowlists can frequently be bypassed. Consider using CSP nonces or hashes instead, along with 'strict-dynamic' if necessary.	script-src	High

Possible Solution

• Read up on Learn how to use a CSP to prevent XSS
• Self-host all JavaScript files by removing Bootstrap JS CDN and call to Jribbble dependencies

[ninjulia]

Dependent on all other tasks in the Audit JavaScript Files Milestone to be completed.

38

41

48

49

54

[ninjulia]

I'm reopening this issue as simply removing the reference to Bootstrap JS CDN was a (known) incomplete fix. While Lighthouse is showing 💯 for Best Practices, it is still reporting the original suggested fix.

The current CSP still has several urls added to the allow list to enable Dribbble image import in the Latest Work API. I'm moving this issue to Optimize Dribbble Imports for Latest Work Section as it seems more fitting to address as part of that tasklist.