Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: atilafassina

src/routes/solid-start/guides/security.mdx

@@ -38,7 +38,7 @@ It is highly recommended to read the [Cross Site Scripting Prevention Cheat Shee
 
 To configure the `Content-Security-Policy` HTTP header, a [middleware](/solid-start/advanced/middleware) can be used.
 
-If you enforce a strict CSP, configure SolidStart to use JSON serialization mode to avoid `unsafe-eval` requirements. See [defineConfig serialization](/solid-start/reference/config/define-config#serialization).
+If you enforce a strict CSP, configure SolidStart to use JSON serialization mode to avoid `unsafe-eval` requirements. See [defineConfig serialization](/solid-start/reference/config/define-config#serialization). Note that `'unsafe-eval'` is only required when using `serialization.mode: "js"`, and the nonce-based CSP example below assumes this mode.
 
 ### With nonce (recommended)