Security
SecurityLow

Inline Scripts

Checks for inline <script> blocks that break strict CSP and invite XSS.

What this check measures

We count inline `<script>` elements (not `src=`-referenced). Excessive inline scripts prevent you from shipping a strict CSP and widen the XSS attack surface.

Why it matters

A strict CSP without `unsafe-inline` is a massive XSS mitigation. Every inline script forces you to either allow unsafe-inline (defeats CSP) or add per-script nonces (maintenance burden).

search

How our audit detects it

Count script tags without src attribute (inline). Flag pages with more than ~3.

Typical findings

  • error_outlineAnalytics snippet inline on every page.
  • error_outlineInline JSON config passed to React (usable alternative: data-* attrs).

How to fix

Move inline scripts into external .js files where practical. For unavoidable inlines, use CSP nonces. Keep to under 3 inline scripts per page as a rule of thumb.

Frequently asked questions

Is one inline script a problem?expand_more
Not by itself. But it blocks strict CSP unless you add a nonce per deployment. Pattern-wise, avoid when you can.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward