From bc948505e5a6433264bbc3d8837bf1a73e9accf3 Mon Sep 17 00:00:00 2001
From: Your Name <119736744+aborayan2022@users.noreply.github.com>
Date: Mon, 6 Apr 2026 14:18:02 +0200
Subject: [PATCH] feat: enhance Content Security Policy and add mobile web app
 capability

---
 backend/app/__init__.py | 2 ++
 frontend/index.html     | 1 +
 nginx/nginx.conf        | 2 +-
 nginx/nginx.prod.conf   | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/backend/app/__init__.py b/backend/app/__init__.py
index 689db5d..6fa770f 100644
--- a/backend/app/__init__.py
+++ b/backend/app/__init__.py
@@ -80,6 +80,7 @@ def create_app(config_name=None, config_overrides=None):
             "https://pagead2.googlesyndication.com",
             "https://www.googletagmanager.com",
             "https://www.google-analytics.com",
+            "https://www.clarity.ms",
         ],
         "style-src": ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
         "font-src": ["'self'", "https://fonts.gstatic.com"],
@@ -99,6 +100,7 @@ def create_app(config_name=None, config_overrides=None):
             "https://www.google-analytics.com",
             "https://pagead2.googlesyndication.com",
             "https://*.amazonaws.com",
+            "https://*.adtrafficquality.google",
         ],
     }
     talisman.init_app(
diff --git a/frontend/index.html b/frontend/index.html
index 06d8db6..bcbf925 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -11,6 +11,7 @@
     content="Free online tools for PDF, image, video, and text processing. Merge, split, compress, convert, watermark, protect & more — instantly." />
   <meta name="application-name" content="Dociva" />
   <meta name="apple-mobile-web-app-title" content="Dociva" />
+  <meta name="mobile-web-app-capable" content="yes" />
   <meta name="apple-mobile-web-app-capable" content="yes" />
   <meta name="apple-mobile-web-app-status-bar-style" content="default" />
   <meta name="theme-color" content="#2563eb" />
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index a4234b6..e509917 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -38,7 +38,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://www.googletagmanager.com https://www.google-analytics.com https://plausible.io; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://pagead2.googlesyndication.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://pagead2.googlesyndication.com https://plausible.io; frame-src https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; frame-ancestors 'self'" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://www.googletagmanager.com https://www.google-analytics.com https://plausible.io https://www.clarity.ms; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://pagead2.googlesyndication.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://pagead2.googlesyndication.com https://plausible.io https://*.adtrafficquality.google; frame-src https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; frame-ancestors 'self'" always;
 
     # API requests → Flask backend
     location /api/ {
diff --git a/nginx/nginx.prod.conf b/nginx/nginx.prod.conf
index c0e77d6..5b0de57 100644
--- a/nginx/nginx.prod.conf
+++ b/nginx/nginx.prod.conf
@@ -65,7 +65,7 @@ server {
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
     add_header X-Canonical-Host "dociva.io" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://www.googletagmanager.com https://www.google-analytics.com https://plausible.io; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://pagead2.googlesyndication.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://pagead2.googlesyndication.com https://plausible.io; frame-src https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; frame-ancestors 'self'" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://www.googletagmanager.com https://www.google-analytics.com https://plausible.io https://www.clarity.ms; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://pagead2.googlesyndication.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://pagead2.googlesyndication.com https://plausible.io https://*.adtrafficquality.google; frame-src https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; frame-ancestors 'self'" always;
 
     # SEO files — no cache, always fresh
     location ~* ^/(sitemap\.xml|robots\.txt|llms\.txt|humans\.txt)$ {