From b17af439a0c7b93b9b82583abffbd7912b9a5ef8 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Sat, 28 Feb 2026 11:45:49 -0500
Subject: [PATCH] Fix CSP: allow Tailwind CDN and Google Fonts

---
 api/middleware.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/middleware.go b/api/middleware.go
index 6826fda..5786db0 100644
--- a/api/middleware.go
+++ b/api/middleware.go
@@ -177,7 +177,7 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler {
 		// Referrer policy
 		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 		// Content Security Policy - restrictive default
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.fireworks.ai")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.fireworks.ai https://fonts.googleapis.com")
 		
 		next.ServeHTTP(w, r)
 	})