From b7436087427a926619c80a288e06f3b5ac498a9b Mon Sep 17 00:00:00 2001
From: echo <petrovskidimitar@yandex.com>
Date: Sun, 1 Mar 2026 02:14:49 +0100
Subject: [PATCH] fix: update CSP to allow PostHog analytics scripts and
 connections

- Add PostHog domains to script-src and connect-src CSP directives
- Updated both development (index.html) and production (nginx.conf) CSP
- Allows https://eu.i.posthog.com and https://eu-assets.i.posthog.com
---
 frontend/index.html | 1 +
 frontend/nginx.conf | 2 +-
 pwa/index.html      | 1 +
 pwa/nginx.conf      | 2 +-
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/frontend/index.html b/frontend/index.html
index 437d8bf..626d11c 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -4,6 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/png" href="/favicon.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 http://localhost:1337 https://api.placebo.mk https://cms.placebo.mk https://eu.i.posthog.com https://eu-assets.i.posthog.com;">
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Bebas+Neue&family=IBM+Plex+Mono:wght@400;500;600;700&display=swap" rel="stylesheet">
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 9007510..1240b93 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -46,7 +46,7 @@ http {
         index index.html;
 
         # Security headers for frontend
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 http://localhost:1337 https://api.placebo.mk https://cms.placebo.mk;" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 http://localhost:1337 https://api.placebo.mk https://cms.placebo.mk https://eu.i.posthog.com https://eu-assets.i.posthog.com;" always;
 
         # Handle React Router
         location / {
diff --git a/pwa/index.html b/pwa/index.html
index 3dcd13f..ba65b7a 100644
--- a/pwa/index.html
+++ b/pwa/index.html
@@ -5,6 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/icons/favicon-32.svg" />
     <link rel="apple-touch-icon" href="/icons/apple-touch-icon.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.placebo.mk https://cms.placebo.mk https://app.placebo.mk wss://api.placebo.mk https://eu.i.posthog.com https://eu-assets.i.posthog.com; manifest-src 'self';">
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Bebas+Neue&family=IBM+Plex+Mono:wght@400;500;600;700&display=swap" rel="stylesheet">
diff --git a/pwa/nginx.conf b/pwa/nginx.conf
index c1de787..21cfe59 100644
--- a/pwa/nginx.conf
+++ b/pwa/nginx.conf
@@ -46,7 +46,7 @@ http {
         index index.html;
 
         # Security headers for frontend
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.placebo.mk https://cms.placebo.mk https://app.placebo.mk wss://api.placebo.mk; manifest-src 'self';" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://eu-assets.i.posthog.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.placebo.mk https://cms.placebo.mk https://app.placebo.mk wss://api.placebo.mk https://eu.i.posthog.com https://eu-assets.i.posthog.com; manifest-src 'self';" always;
 
         # Handle React Router
         location / {