From 8c60614023d7da0539edfa5d380efbe81d0659f8 Mon Sep 17 00:00:00 2001
From: Tudor Sitaru <tudor.sitaru@gmail.com>
Date: Fri, 20 Feb 2026 15:43:51 +0000
Subject: [PATCH] Fix CSP to allow Umami analytics and remove stale GA
 directives

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/app.py b/backend/app.py
index c8ff2c9..3ab895d 100644
--- a/backend/app.py
+++ b/backend/app.py
@@ -65,11 +65,11 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         # Content Security Policy
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://unpkg.com https://www.googletagmanager.com; "
+            "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://unpkg.com https://analytics.schoolcompare.co.uk; "
             "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net https://unpkg.com; "
             "font-src 'self' https://fonts.gstatic.com; "
-            "img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com https://www.google-analytics.com; "
-            "connect-src 'self' https://cdn.jsdelivr.net https://*.tile.openstreetmap.org https://unpkg.com https://www.google-analytics.com https://analytics.google.com https://*.google-analytics.com; "
+            "img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com; "
+            "connect-src 'self' https://cdn.jsdelivr.net https://*.tile.openstreetmap.org https://unpkg.com https://analytics.schoolcompare.co.uk; "
             "frame-ancestors 'none'; "
             "base-uri 'self'; "
             "form-action 'self' https://formsubmit.co;"