diff --git a/docs/ja-JP/skills/quarkus-security/SKILL.md b/docs/ja-JP/skills/quarkus-security/SKILL.md
index 6d3248b7..8c6016db 100644
--- a/docs/ja-JP/skills/quarkus-security/SKILL.md
+++ b/docs/ja-JP/skills/quarkus-security/SKILL.md
@@ -333,9 +333,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-srcに'unsafe-inline'を使用しないでください。XSS保護が無効になります。
+    // 代わりにnonceまたはhashを使用してください。
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```
diff --git a/docs/tr/skills/quarkus-security/SKILL.md b/docs/tr/skills/quarkus-security/SKILL.md
index 67325b41..f0b46305 100644
--- a/docs/tr/skills/quarkus-security/SKILL.md
+++ b/docs/tr/skills/quarkus-security/SKILL.md
@@ -380,9 +380,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-src için 'unsafe-inline' kullanmayın, XSS korumasını etkisiz kılar;
+    // bunun yerine nonce veya hash kullanın
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```
diff --git a/docs/zh-CN/skills/quarkus-security/SKILL.md b/docs/zh-CN/skills/quarkus-security/SKILL.md
index ce90e424..3e48b34b 100644
--- a/docs/zh-CN/skills/quarkus-security/SKILL.md
+++ b/docs/zh-CN/skills/quarkus-security/SKILL.md
@@ -303,9 +303,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — script-src不要使用'unsafe-inline'，会使XSS保护失效；
+    // 请改用nonce或hash
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```
diff --git a/skills/quarkus-security/SKILL.md b/skills/quarkus-security/SKILL.md
index b3fa9705..35b80045 100644
--- a/skills/quarkus-security/SKILL.md
+++ b/skills/quarkus-security/SKILL.md
@@ -380,9 +380,11 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
     // HSTS
     headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     
-    // CSP
+    // CSP — avoid 'unsafe-inline' for script-src as it negates XSS protection;
+    // use nonces or hashes instead. 'unsafe-inline' for style-src is acceptable
+    // when CSS frameworks require it, but prefer nonces where possible.
     headers.putSingle("Content-Security-Policy", 
-        "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
   }
 }
 ```