Fix Content Security Policy on Cloudflare

Cloudflare can inject or mutate Content-Security-Policy for all origins behind the zone. That centralizes policy when multiple microservices sit upstream and avoids configuring each Kubernetes ingress separately.

Reporting endpoints for report-to or legacy report-uri should hit infrastructure you operate; Cloudflare Logs can complement violation streams. Watch header size limits on very long allowlists.

Pair with cache tuning so CSP headers are not stripped at the CDN.