804c2586a9
- Remove 'unsafe-inline' from script-src CSP directive - Restrict connectSrc and imgSrc to known external domains - Move Google API key from URL query parameter to X-Goog-Api-Key header - Sanitize error logging in production (no stack traces) - Log file link errors instead of silently swallowing them https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8