From 31dfbe3cca16bc5d894f83f5a13cf6f9b4c36c77 Mon Sep 17 00:00:00 2001
From: Jan Willem Mannaerts <jw.mannaerts@buckaroo.nl>
Date: Sat, 28 Feb 2026 16:40:02 +0100
Subject: [PATCH] Broaden CSP img-src to allow all Atlassian avatar domains

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/src/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/index.js b/backend/src/index.js
index 57bb0ac..a61bb87 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -59,7 +59,7 @@ app.use((_req, res, next) => {
     "script-src 'self'",
     "style-src 'self' 'unsafe-inline'",
     `connect-src 'self' wss://${isProd ? new URL(frontendUrl).host : '*'}`,
-    "img-src 'self' https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://secure.gravatar.com data:",
+    "img-src 'self' https://*.atl-paas.net https://*.atlassian.com https://secure.gravatar.com data:",
     "font-src 'self'",
     "object-src 'none'",
     "base-uri 'self'",