From c3b01de12edbc9cb0b19694be2b049e0c11a29d8 Mon Sep 17 00:00:00 2001
From: echo <petrovskidimitar@yandex.com>
Date: Tue, 24 Feb 2026 19:16:22 +0100
Subject: [PATCH] fix: update CSP headers to allow production API domains

- Add https://api.placebo.mk to connect-src for API requests
- Add https://cms.placebo.mk to connect-src for CMS API
- Add Google Fonts domains to style-src and font-src
- Add manifest-src for PWA manifest
- This fixes 'Refused to connect' CSP violations
---
 frontend/nginx.conf | 2 +-
 pwa/nginx.conf      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 0905f49..9007510 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -46,7 +46,7 @@ http {
         index index.html;
 
         # Security headers for frontend
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:3000 http://localhost:1337;" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 http://localhost:1337 https://api.placebo.mk https://cms.placebo.mk;" always;
 
         # Handle React Router
         location / {
diff --git a/pwa/nginx.conf b/pwa/nginx.conf
index 0905f49..bafd20d 100644
--- a/pwa/nginx.conf
+++ b/pwa/nginx.conf
@@ -46,7 +46,7 @@ http {
         index index.html;
 
         # Security headers for frontend
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:3000 http://localhost:1337;" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 http://localhost:1337 https://api.placebo.mk https://cms.placebo.mk; manifest-src 'self';" always;
 
         # Handle React Router
         location / {