I am using this for the first time and it seems to work well, thanks! However I have noticed that sometimes a nonce will have encoding in it - eg raRs**+**lVpZwwA/aUe6NEzk38T in HTML view source vs nonce-raRs+lVpZwwA/aUe6NEzk38T' in Network/headers. Also when I go to take out the "unsafe-inline" which I thought I wouldn't need anymore with nonces, inline scripts don't work, eg:

<script nonce="7pk4zOM5rcaAR9BWgk6a/KZ2">
var notificationExDays = 1;        </script>

throws: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem https://www.google.com/maps/ https://www.google.com/recaptcha/ https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/ https://www.gstatic.com/recaptcha/ 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-kSHlTXM3Aso594e3BGrFYxGyVMtUnAL+Tb/G+xjktus='), or a nonce ('nonce-...') is required to enable inline execution. I tried putting in script-dynamic but it didn't help but it's possible I was using that incorrectly. Any guidance would be great thanks!