As mentioned in #234, inline JS prevents setting a more robust Content Security Policy - you need to allow unsafe-inline which is not recommended.
From what I can see it's fairly straightforward to move the current inline JS in django-baton to separate static files.
For greater security you could potentially look at a solution like django-sri so all static files have integrity hashes attached, but I don't want to make unsolicited changes to introduce new dependencies!
As mentioned in #234, inline JS prevents setting a more robust Content Security Policy - you need to allow unsafe-inline which is not recommended.
From what I can see it's fairly straightforward to move the current inline JS in django-baton to separate static files.
For greater security you could potentially look at a solution like django-sri so all static files have integrity hashes attached, but I don't want to make unsolicited changes to introduce new dependencies!