Fixing TODO in web-app-factory.ts. Remove unsafe-inline and implement script nonces.

[Mohit-Davar]

Summary: Enhance CSP security by removing unsafe-inline and implementing script nonces

Description

• Removed 'unsafe-inline' from script-src and style-src directives in the Content Security Policy (CSP).
• Implemented a cryptographic nonce generated per request to allow legitimate scripts while blocking unauthorized inline scripts.
• Cleaned up legacy TODO comments regarding CSP security.
• Bumped the project version to 2.1.1 in package.json and package-lock.json to reflect these improvements.

Related Issue

Fixes documented security TODO in web-app-factory.ts.

Motivation and Context

Eliminating unsafe-inline is a critical step in preventing Cross-Site Scripting (XSS) attacks. By moving to a nonce-based CSP, the relay becomes significantly more secure without breaking existing frontend functionality that relies on external resources.

How Has This Been Tested?

• Verified the nonce generation logic in src/factories/web-app-factory.ts.
• Environment: Node.js v20 on Windows.
• Verified version synchronisation between package.json and package-lock.json.

Screenshots (if appropriate):

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly (Version bump).
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• All new and existing tests passed.

[cameri]

Thank you!