HTTP Header and Content Security Policy

Within Chubb, they have tightened the security and we are "advised" to change the CSP.  In IIS config we need to replace: <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' 'unsafe-inline' 'unsafe-eval'" /> with: <add name="Content-Security-Policy" value="default-src 'self'" /> If we do this, our application won't even start.  mxui.js?636712378638882163:7 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ". at new Function (<anonymous>) at undefined.dojo.async (mxui.js?636712378638882163:7) at mxui.js?636712378638882163:7 According to the security guys we may need to refactor or externalise inline JavaScript/CSS. My Questions: Is it possible to have this <add name="Content-Security-Policy" value="default-src 'self'" /> setting at all and run our Mendix App? If it is possible, what do we need to configure or refactor to make it actually work? If not, what is the maximum security setting with which Mendix will run?   Thanks in advance, Sander
0 answers