CSP policies: 'unsafe-hashes' 'nonce-<base64-value>' '<hash-algorithm>-<base64-value>'

Just throwing this out there for anyone who read Lukas Weichselbaum and Michele Spagnuolo paper, from 2016, and would prefer L2 nonce based CSP with static Hugo served from non-apache server [Currently applying L1 with whitelists from github pages, not netlify, in my case]

Of course, with static one can’t generate a new nonce every time the policy is requested, and presumably the hash-algorithm policy should also be generated dynamically; however, has anyone estimated risk variance between nonce or hash generated at every request versus nonce or hash generated on every changed production git deployment?