How to specify content security policy with hash in spring security

Question

I am using a java springboot application with thymeleaf and I want protect my app from non persistent xss by content security policy in spring security. Now, in my front end, none of the buttons work because I have put javascript to make rest call on them. Below is my security config:

    @Override
protected void configure(HttpSecurity http) throws Exception {

    http.requiresChannel().anyRequest().requiresSecure().and().authorizeRequests().antMatchers("/login","/css_general/**","/css_page_specific/**","/**/*.js","/**/*.css")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and().formLogin(form -> form
            .loginPage("/login")
            .defaultSuccessUrl("/index.html")
            .failureUrl("/login?error=true")
        )
        .sessionManagement().invalidSessionUrl("/login")
        .and()
        .httpBasic()
       .and()
    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("JSESSIONID")
            .permitAll()
            .and()
            .cors().disable()
            .headers()
            .xssProtection()
            .and()
            .contentSecurityPolicy("default-src 'self'");

And I get the following:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-bzTE78wYOlzPtHKiZ2sKJr4A09DavGERaFsjDU2pdq8='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

If I use script-src then I don't see the above error, but I can't still login either. How can I add encryption/sha-256 so that thymeleaf and the subsequent inline scripts on my page work but I"m still protected with XSS? I would like to get best of both worlds: Be protected from XSS as well as not having to make changes to thymeleaf/my javascript. Do I need to create a helper function that does the sha-256, and I put that function inside the content security policy? Can someone give an example?