From 4d8c2a301c47d85d04253a1edbeaeaac21ffc5e3 Mon Sep 17 00:00:00 2001
From: Jan Willem Mannaerts <jw.mannaerts@buckaroo.nl>
Date: Sat, 28 Feb 2026 16:50:02 +0100
Subject: [PATCH] Fix CSP to allow Google Fonts and Gravatar avatars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/src/index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/src/index.js b/backend/src/index.js
index a61bb87..7b38fc9 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -57,10 +57,10 @@ app.use((_req, res, next) => {
   res.setHeader('Content-Security-Policy', [
     "default-src 'self'",
     "script-src 'self'",
-    "style-src 'self' 'unsafe-inline'",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
     `connect-src 'self' wss://${isProd ? new URL(frontendUrl).host : '*'}`,
-    "img-src 'self' https://*.atl-paas.net https://*.atlassian.com https://secure.gravatar.com data:",
-    "font-src 'self'",
+    "img-src 'self' https://*.atl-paas.net https://*.atlassian.com https://secure.gravatar.com https://*.gravatar.com data:",
+    "font-src 'self' https://fonts.gstatic.com",
     "object-src 'none'",
     "base-uri 'self'",
     "form-action 'self'",