diff --git a/public/service-worker.js b/public/service-worker.js
index 9196b702..ec1c1546 100644
--- a/public/service-worker.js
+++ b/public/service-worker.js
@@ -5,7 +5,7 @@
  * - PWA functionality
  */
 
-const CACHE_VERSION = '1.0.5';
+const CACHE_VERSION = '1.0.6';
 const CACHE_NAME = `tractatus-v${CACHE_VERSION}`;
 const VERSION_CHECK_INTERVAL = 3600000; // 1 hour in milliseconds
 
diff --git a/public/version.json b/public/version.json
index 7d6f5153..76b564c9 100644
--- a/public/version.json
+++ b/public/version.json
@@ -1,12 +1,12 @@
 {
-  "version": "1.0.5",
-  "buildDate": "2025-10-14T13:15:00Z",
+  "version": "1.0.6",
+  "buildDate": "2025-10-14T13:30:00Z",
   "changelog": [
-    "Fixed inline FAQ markdown rendering with error handling",
-    "Added logging for FAQ rendering diagnostics",
-    "Enhanced markdown fallback for both modal and inline FAQs",
-    "Created inst_040: 'all' keyword requires complete coverage"
+    "CRITICAL FIX: Updated CSP to allow cdnjs.cloudflare.com",
+    "Fixes marked.js and highlight.js loading failures",
+    "Added connectSrc, scriptSrc, styleSrc, fontSrc for CDN",
+    "FAQ markdown rendering now works correctly"
   ],
   "forceUpdate": true,
-  "minVersion": "1.0.5"
+  "minVersion": "1.0.6"
 }
diff --git a/src/server.js b/src/server.js
index acd8ad45..976dba08 100644
--- a/src/server.js
+++ b/src/server.js
@@ -27,8 +27,10 @@ app.use(helmet({
   contentSecurityPolicy: {
     directives: {
       defaultSrc: ["'self'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com"],
+      scriptSrc: ["'self'", "https://cdnjs.cloudflare.com"],
+      connectSrc: ["'self'", "https://cdnjs.cloudflare.com"],
+      fontSrc: ["'self'", "https://cdnjs.cloudflare.com"],
       imgSrc: ["'self'", "data:", "https:"],
     },
   },