fix: remove unsafe-inline from script-src in CSP example

'unsafe-inline' for script-src negates XSS protection from CSP.
Removed it from the security headers example in quarkus-security
and all locale copies. Kept 'unsafe-inline' for style-src only
(commonly needed by CSS frameworks) with a comment recommending
nonces where possible.

docs/ja-JP/skills/quarkus-security/SKILL.md

@@ -333,9 +333,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-srcに'unsafe-inline'を使用しないでください。XSS保護が無効になります。
+    // 代わりにnonceまたはhashを使用してください。
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```

docs/tr/skills/quarkus-security/SKILL.md

@@ -380,9 +380,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-src için 'unsafe-inline' kullanmayın, XSS korumasını etkisiz kılar;
+    // bunun yerine nonce veya hash kullanın
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```

docs/zh-CN/skills/quarkus-security/SKILL.md

@@ -303,9 +303,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-src不要使用'unsafe-inline'，会使XSS保护失效；
+    // 请改用nonce或hash
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```

skills/quarkus-security/SKILL.md

@@ -380,9 +380,11 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — avoid 'unsafe-inline' for script-src as it negates XSS protection;
+    // use nonces or hashes instead. 'unsafe-inline' for style-src is acceptable
+    // when CSS frameworks require it, but prefer nonces where possible.
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```