pub fn build_csp_header(nonce: &str) -> String
Build a strict Content-Security-Policy header value.
Allows scripts and styles only via nonce. No inline, no eval.