I'm running my node.js web app at:
http://localhost:3000/
I'm getting this error from Helmet:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' 'sha256-DFWWwGm2cBwXA13nbn4jDkHCl2Oc/0Z2tKvKkN4NWj4=' http://localhost:3000/ http://localhost:4000/ [.....]". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
http://localhost:3000/ is listed in the script-src directive. Why am I getting this error?
From the error message, it looks like you're trying to execute an inline script, which isn't allowed by your CSP.
You've included "unsafe-inline" which would normally allow it, but the SHA causes that to be ignored; see the last sentence in the error message.