Content-Security-Policy (CSP) header validation

I am trying to secure an A+ rating for a wordpress installation running gravity forms.
can only get a maximum of an A rating as the Content-Security-Policy requires ‘unsafe-inline’ (removing it disables the forms) ‘unsafe-eval’ (removing it disables entries export) to display and run gravity forms.

Can anyone advise what CSP settings allow GF to operate properly?

header("Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https: ; ");

Any help welcome.

I recommend opening a support ticket for these questions, but I will leave this open here as well in case anyone has a recommendation.