## ADDED Requirements

### Requirement: Content Security Policy baseline
The deployed site MUST include a Content Security Policy (CSP) that is compatible with the site's runtime behavior and third-party integrations.

The CSP MUST be strict enough to avoid DevTools Issues panel findings related to CSP and MUST NOT rely on a permissive `*` wildcard for script sources.

The CSP MUST allow:
- the site's own scripts and styles
- the configured analytics script origin (Umami)
- required image origins (e.g., YouTube thumbnail host and podcast image CDN)
- required frame origins (e.g., YouTube and Spotify embeds)

#### Scenario: No CSP issues logged
- **WHEN** a user loads the homepage in Chrome
- **THEN** no CSP-related issues are reported in the DevTools Issues panel

### Requirement: Avoid inline-script CSP violations
The site SHOULD minimize the use of inline scripts to avoid requiring `unsafe-inline` in CSP.

If inline scripts are necessary, the CSP MUST use a nonce-based or hash-based approach.

#### Scenario: Inline scripts do not require unsafe-inline
- **WHEN** the site is served with CSP enabled
- **THEN** the policy does not require `script-src 'unsafe-inline'` to function