From 18b7c1f8a0167a89c3725c1ac505673c96b19248 Mon Sep 17 00:00:00 2001
From: Claude Dev <claude-dev@aegis-sight.de>
Date: Tue, 24 Mar 2026 09:46:42 +0100
Subject: [PATCH] Fix: CSP blockierte GEOINT-Satellitenbilder und externe APIs

Content-Security-Policy erweitert:
- img-src: server.arcgisonline.com (Esri Satellite Tiles)
- connect-src: earthquake.usgs.gov, api.gdeltproject.org
- script-src: unpkg.com (Leaflet.heat Plugin)
---
 src/main.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main.py b/src/main.py
index 0876040..626a475 100644
--- a/src/main.py
+++ b/src/main.py
@@ -298,11 +298,11 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         response = await call_next(request)
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+            "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://unpkg.com; "
             "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; "
             "font-src 'self' https://fonts.gstatic.com; "
-            "img-src 'self' data: https://tile.openstreetmap.de; "
-            "connect-src 'self' wss: ws:; "
+            "img-src 'self' data: https://tile.openstreetmap.de https://server.arcgisonline.com; "
+            "connect-src 'self' wss: ws: https://earthquake.usgs.gov https://api.gdeltproject.org; "
             "frame-ancestors 'none'"
         )
         response.headers["Permissions-Policy"] = (