From 5bfa9a2687218906f31b8645f5677336571fcc70 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Fri, 6 Feb 2026 15:13:09 -0500
Subject: [PATCH] fix: allow Google Analytics in Content Security Policy

The CSP scriptSrc directive blocked the Google Tag Manager script from
loading in production, preventing Google Analytics from functioning.
Added googletagmanager.com to scriptSrc and Google Analytics domains
to connectSrc to allow gtag.js and analytics beacons.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/shared/src/middleware.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/shared/src/middleware.ts b/apps/shared/src/middleware.ts
index 55872b1..4319274 100644
--- a/apps/shared/src/middleware.ts
+++ b/apps/shared/src/middleware.ts
@@ -34,9 +34,11 @@ export const createWebSecurityHeaders = ( apiBaseUrl?: string ): RequestHandler
 			directives: {
 				defaultSrc: [ "'self'" ],
 				styleSrc: [ "'self'", "'unsafe-inline'" ], // Allow inline styles for Tailwind
-				scriptSrc: [ "'self'", "'unsafe-inline'" ], // Allow inline scripts for EJS templates
+				scriptSrc: [ "'self'", "'unsafe-inline'", "https://www.googletagmanager.com" ],
 				imgSrc: [ "'self'", "data:", "https:" ],
-				connectSrc: apiBaseUrl ? [ "'self'", apiBaseUrl ] : [ "'self'" ],
+				connectSrc: apiBaseUrl
+					? [ "'self'", apiBaseUrl, "https://www.google-analytics.com", "https://*.google-analytics.com", "https://*.analytics.google.com" ]
+					: [ "'self'", "https://www.google-analytics.com", "https://*.google-analytics.com", "https://*.analytics.google.com" ],
 				fontSrc: [ "'self'" ],
 				objectSrc: [ "'none'" ],
 				mediaSrc: [ "'self'" ],