From da8603c57ca59e903de3f3772d49544045f81b7e Mon Sep 17 00:00:00 2001
From: oabrivard <olivier@abrivard.fr>
Date: Thu, 2 Apr 2026 23:34:03 +0200
Subject: [PATCH] fix: allow Turnstile connect-src in CSP to prevent hanging
 requests

The CSP had connect-src 'self' which blocked Cloudflare Turnstile's
internal fetch requests to challenges.cloudflare.com, causing them to
hang indefinitely and triggering a page reload loop.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/src/router.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/router.rs b/backend/src/router.rs
index 1793941..f8190cf 100644
--- a/backend/src/router.rs
+++ b/backend/src/router.rs
@@ -132,7 +132,7 @@ pub fn build_router(state: AppState, config: &AppConfig) -> Router {
         .layer(SetResponseHeaderLayer::overriding(
             HeaderName::from_static("content-security-policy"),
             HeaderValue::from_static(
-                "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; img-src 'self' data:; font-src 'self' data:; connect-src 'self'",
+                "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://challenges.cloudflare.com",
             ),
         ));