From dc6b3b30d013e72332be1303f9e1d7e5acc5026c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= <github@radziel.com>
Date: Sat, 6 Dec 2025 15:03:36 +0100
Subject: [PATCH] fix: update Content Security Policy to allow Cloudflare
 Turnstile scripts

---
 backend/src/app.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/src/app.js b/backend/src/app.js
index 22850e4..690d62a 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -18,13 +18,13 @@ app.use(helmet({
     directives: {
       defaultSrc: ["'self'"],
       styleSrc: ["'self'", "'unsafe-inline'", "https://ui-avatars.com"],
-      scriptSrc: ["'self'"],
+      scriptSrc: ["'self'", "https://challenges.cloudflare.com"],
       imgSrc: ["'self'", "data:", "https:", "https://ui-avatars.com"],
-      connectSrc: ["'self'"],
+      connectSrc: ["'self'", "https://challenges.cloudflare.com"],
       fontSrc: ["'self'"],
       objectSrc: ["'none'"],
       mediaSrc: ["'self'"],
-      frameSrc: ["'none'"],
+      frameSrc: ["'self'", "https://challenges.cloudflare.com"],
     },
   },
   hsts: {