feat: Add Content Security Policy header and move Plausible script to HTML head with beforeInteractive strategy.

next.config.ts

@@ -15,6 +15,15 @@ const nextConfig: NextConfig = {
   },
   async headers() {
     return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://plausible.elpatron.me; connect-src 'self' https://plausible.elpatron.me;",
+          },
+        ],
+      },
       {
         source: '/uploads/:path*.mp3',
         headers: [