fix: update CSP to allow cdnjs.cloudflare.com resources

## Critical Bug Fix
All CDN resources (marked.js, highlight.js) were blocked by CSP causing:
- FAQ markdown rendering failures
- No syntax highlighting for code blocks
- Plain text display instead of formatted HTML

## Changes Made

### Backend (src/server.js)
Updated helmet CSP configuration to allow cdnjs.cloudflare.com:
- scriptSrc: added https://cdnjs.cloudflare.com
- styleSrc: added https://cdnjs.cloudflare.com
- connectSrc: added https://cdnjs.cloudflare.com (was missing)
- fontSrc: added https://cdnjs.cloudflare.com

### Frontend (nginx production config)
Fixed nginx add_header inheritance issue:
- Duplicated security headers in HTML location block
- Nginx quirk: add_header in location block overrides parent headers
- Both server block AND location block now have full CSP

### Root Cause
Two-part issue:
1. CSP didn't include cdnjs.cloudflare.com (blocking external resources)
2. Nginx HTML location block used add_header, overriding parent security headers

## Testing
Verified with curl:
- Local: CSP headers include cdnjs.cloudflare.com ✅
- Production: CSP headers include cdnjs.cloudflare.com ✅

## Version
- Bumped to 1.0.6
- Force update enabled

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

public/service-worker.js

@@ -5,7 +5,7 @@
  * - PWA functionality
  */
 
-const CACHE_VERSION = '1.0.5';
+const CACHE_VERSION = '1.0.6';
 const CACHE_NAME = `tractatus-v${CACHE_VERSION}`;
 const VERSION_CHECK_INTERVAL = 3600000; // 1 hour in milliseconds
 

public/version.json

@@ -1,12 +1,12 @@
 {
-  "version": "1.0.5",
-  "buildDate": "2025-10-14T13:15:00Z",
+  "version": "1.0.6",
+  "buildDate": "2025-10-14T13:30:00Z",
   "changelog": [
-    "Fixed inline FAQ markdown rendering with error handling",
-    "Added logging for FAQ rendering diagnostics",
-    "Enhanced markdown fallback for both modal and inline FAQs",
-    "Created inst_040: 'all' keyword requires complete coverage"
+    "CRITICAL FIX: Updated CSP to allow cdnjs.cloudflare.com",
+    "Fixes marked.js and highlight.js loading failures",
+    "Added connectSrc, scriptSrc, styleSrc, fontSrc for CDN",
+    "FAQ markdown rendering now works correctly"
   ],
   "forceUpdate": true,
-  "minVersion": "1.0.5"
+  "minVersion": "1.0.6"
 }

src/server.js

@@ -27,8 +27,10 @@ app.use(helmet({
   contentSecurityPolicy: {
     directives: {
       defaultSrc: ["'self'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com"],
+      scriptSrc: ["'self'", "https://cdnjs.cloudflare.com"],
+      connectSrc: ["'self'", "https://cdnjs.cloudflare.com"],
+      fontSrc: ["'self'", "https://cdnjs.cloudflare.com"],
       imgSrc: ["'self'", "data:", "https:"],
     },
   },