From a9ae69cad5c479b1b42e9d20cb856006a57f5e18 Mon Sep 17 00:00:00 2001
From: Franz Kafka <kafka@ashisgreat.xyz>
Date: Sun, 22 Mar 2026 17:22:31 +0000
Subject: [PATCH] fix(security): allow HTMX CDN and inline scripts in CSP

script-src now permits 'unsafe-inline' and https://unpkg.com so the
autocomplete script and HTMX library load correctly.
---
 internal/middleware/security.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/middleware/security.go b/internal/middleware/security.go
index 09f3878..2d75003 100644
--- a/internal/middleware/security.go
+++ b/internal/middleware/security.go
@@ -80,7 +80,7 @@ func SecurityHeaders(cfg SecurityHeadersConfig) func(http.Handler) http.Handler
 func defaultCSP() string {
 	return strings.Join([]string{
 		"default-src 'self'",
-		"script-src 'self'",
+		"script-src 'self' 'unsafe-inline' https://unpkg.com",
 		"style-src 'self' 'unsafe-inline'",
 		"img-src 'self' https: data:",
 		"connect-src 'self'",