feat: Add Content Security Policy header and move Plausible script to HTML head with beforeInteractive strategy.

app/layout.tsx

@@ -35,13 +35,15 @@ export default function RootLayout({
 }>) {
   return (
     <html lang="en">
-      <body className={`${geistSans.variable} ${geistMono.variable}`}>
+      <head>
         <Script
           defer
           data-domain="hoerdle.elpatron.me"
           src="https://plausible.elpatron.me/js/script.js"
-          strategy="afterInteractive"
+          strategy="beforeInteractive"
         />
+      </head>
+      <body className={`${geistSans.variable} ${geistMono.variable}`}>
         {children}
         <InstallPrompt />
         <AppFooter />

next.config.ts

@@ -15,6 +15,15 @@ const nextConfig: NextConfig = {
   },
   async headers() {
     return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://plausible.elpatron.me; connect-src 'self' https://plausible.elpatron.me;",
+          },
+        ],
+      },
       {
         source: '/uploads/:path*.mp3',
         headers: [