Nonce attribute added to javascript blocks to comply with CSP

I added a nonce attribute to all javascript blocks to comply with a CSP
that I set for my site, josephmarino.net. I used Google's CSP evaluator
as a starting point for building a CSP. I implemented a CSP to learn
about how CSP's work and to help mitigate against cross-site scripting
(XSS) attacks. When a page loads a nonce is generated by PHP using the
GenerateNonce() function in portfolio.class. The nonce is one-time use
strong cryptographic string that is generated using the one of PHP's
CSPRNG functions, random_bytes(). After the nonce is generated, it is
base64 encoded using PHP's base64_encode() function.

An alternative method to using PHP to generate a nonce is to generate a
nonce using the set_secure_random_alphanum directive in OpenResty's
set_misc_module for NGINX. In that type of setup, when a page with a
javascript block that contains a nonce attribute such as "INSERT_NONCE"
is processed by NGINX, the sub_filter directive in NGINX's
http_sub_module would replace the "INSERT_NONCE" string in the nonce
attribute with a nonce generated by OpenResty's
set_secure_random_alphanum directive.

I chose to generate the nonce using PHP's random_bytes function because
it is a simple and secure way to generate a nonce.

At the time of writing this msg, the CSP for this portfolio is:

script-src 'strict-dynamic' 'nonce-$generated_nonce';
object-src 'none';
base-uri 'none';
default-src 'none';
connect-src 'self';
font-src 'self';
frame-src 'self';
frame-ancestors 'self';
img-src 'self' https://www.google-analytics.com
https://www.googletagmanager.com;
style-src 'self';
form-action 'self';
worker-src 'self';

The above CSP for josephmarino.net is implemented as a
"Content-Security-Policy" HTTP header.