Remove `unsafe-inline` from CSP

[theseion]

We currently use a couple of inline scripts (e.g. for fontawesome) that requires unsafe-inline in the Content Security Policy header.

Acceptance criteria

• remove unsafe-inline from the CSP
• use hashes / nonces to allow loading of those resources that would be blocked by unsafe-inline

See also #343

[fzipi]

Fixed in #343

[fzipi]

Oops, too quick there. We need to followup.