Just throwing this out there for anyone who read Lukas Weichselbaum and Michele Spagnuolo paper, from 2016, and would prefer L2 nonce based CSP with static Hugo served from non-apache server [Currently applying L1 with whitelists from github pages, not netlify, in my case]
Of course, with static one can’t generate a new nonce every time the policy is requested, and presumably the hash-algorithm policy should also be generated dynamically; however, has anyone estimated risk variance between nonce or hash generated at every request versus nonce or hash generated on every changed production git deployment?