[CSP] Content-Security-Policy headers active
[CSP] All scripts validated against nonce
[CSP] Blocked inline script without nonce (safe!)
[CSP] Stylesheet from fonts.googleapis.com: allowed
[CSP] WebSocket to *.supabase.co: allowed
[CSP] Blocked connection to unknown-tracker.com (safe!)
[CSP] frame-ancestors: none - prevents clickjacking
CSP Score: A+
All policies enforced. 2 violations blocked successfully.