years ago I took a more maximalist approach and it always led to project burnout and security yak shaving.
so you have my permission, as someone who has worked in security for over 10 years now, to use "it doesn't fucking matter lol" as a threat model for these kinds of side projects and work on useful functionality instead of spending twenty hours of your precious time building a login page and password reset workflow that will only ever see one user anyway.
"I spent yesterday evening reading up on optimal selection of argon2id parameters for storing passwords in my web app that lets me catalogue what electronics parts I have in my storage bin" - statements dreamed up by the utterly deranged (past me)
I ran into something yesterday where I needed to dynamically generate some CSS in a view cell, which obviously doesn't work with CSP due to having no inline styles allowed, and I was about to go down the rabbit hole of deciding whether to implement inline nonces or create a new controller that emits specific CSS payloads as per the necessary format which could then be inserted into the page, and then I realised it doesn't fucking matter and just enabled unsafe-inline because who gives a shit.
(note: do not follow this advice for things that matter; unsafe-inline is like 60% of why XSS still works in the year of our overlord 2024)
@gsuberland The year is 2028, an alert is generated on Google's Web Complete Overwatch Populace Security (WebCOPS) Dashboard. 5 minutes later you get a knock on the door "Open up! It's the CSP police!"
