diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex
index a489fdfbe..00f0eede8 100644
--- a/lib/web/plugs/http_security_plug.ex
+++ b/lib/web/plugs/http_security_plug.ex
@@ -51,8 +51,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
   # Connect-src is available for any origin (*) because of webfinger query to redirect to content
   @connect_src "connect-src 'self' * blob: "
   # unsafe-eval is because of JS issues with regenerator-runtime
-  # unsafe-inline will be overriten in prod with sha256 hash
-  @script_src "script-src 'self' 'unsafe-eval' 'unsafe-inline' "
+  @script_src "script-src 'self' 'unsafe-eval' "
   @style_src "style-src 'self' "
   @font_src "font-src 'self' "
 
@@ -76,7 +75,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
 
     script_src =
       if Config.get(:env) == :dev do
-        @script_src
+        [@script_src, "'unsafe-inline' "]
       else
         [
           @script_src,
diff --git a/test/web/plugs/http_security_plug_test.exs b/test/web/plugs/http_security_plug_test.exs
index 58b6e1ea4..a7d533a50 100644
--- a/test/web/plugs/http_security_plug_test.exs
+++ b/test/web/plugs/http_security_plug_test.exs
@@ -73,7 +73,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do
       [csp] = Conn.get_resp_header(conn, "content-security-policy")
 
       assert csp =~
-               ~r/script-src 'self' 'unsafe-eval' 'unsafe-inline' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
+               ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
     end
   end