diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 818541c..96011a8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,7 +1,7 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-	"name": "Ubuntu",
+	"name": "Ubuntu-Hugo",
 	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
 	"image": "mcr.microsoft.com/devcontainers/base:jammy",
 	"features": {
diff --git a/cloudflare-build.sh b/cloudflare-build.sh
new file mode 100644
index 0000000..07a149a
--- /dev/null
+++ b/cloudflare-build.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+curl -L -s https://api.github.com/repos/gohugoio/hugo/releases/latest | grep "browser_download_url.*extended.*linux-amd64.tar.gz" | cut -d : -f 2,3 | sed 's/"//g' | xargs wget
+
+tar xvf ./*.tar.gz
+chmod u+x ./hugo
+
+if [ "$CF_PAGES_BRANCH" == "main" ]; then
+  ./hugo --minify
+else
+  ./hugo -b "$CF_PAGES_URL" --minify
+fi
diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md
index d024d2b..1c1cd24 100644
--- a/content/posts/linux/Desktop Linux Hardening.md	
+++ b/content/posts/linux/Desktop Linux Hardening.md	
@@ -75,7 +75,7 @@ Many Linux distributions sends some telemetry data by default to count how many
 
 The Fedora Project offers a ["countme" variable](https://dnf.readthedocs.io/en/latest/conf_ref.html#countme-label) to much more accurately [count unique systems accessing its mirrors](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) without involving unique IDs. While currently disabled by default, you could add `countme=false` to `/etc/dnf/dnf.conf` in case the default changes in the future. On rpm&#8209;ostree systems such as Fedora Silverblue and Kinoite, the `countme` option can be disabled by [masking the rpm-ostree-countme timer](https://coreos.github.io/rpm-ostree/countme/).
 
-[openSUSE uses a unique ID to count systems](https://en.opensuse.org/openSUSE:Statistics), which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file.
+[openSUSE uses a unique ID to count systems](https://en.opensuse.org/openSUSE:Statistics), which can be disabled by emptying the `/var/lib/zypp/AnonymousUniqueId` file.
 
 [Zorin OS also uses a unique ID to count systems.](https://zorin.com/legal/privacy/#census) You can opt&#8209;out by running `sudo apt purge zorin-os-census` and optionally holding the package with `sudo apt-mark hold zorin-os-census` to avoid accidental reinstallation.
 
@@ -458,7 +458,7 @@ First, you need to boot into your firmware interface and enter Secure Boot setup
 On certain hardware, this will not work. Instead, you will need to export the public key to your EFI partition and manually import it through your firmware interface:
 
 ```
-openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.cer
+openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.der
 ```
 
 ### Unified Kernel Image
@@ -467,7 +467,7 @@ On most desktop Linux systems, it is possible to create a [unified kernel image]
 
 For Fedora Workstation, you can follow [H&aring;vard Moen's guide](https://haavard.name/2022/06/22/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot/) which covers sbctl installation, unified kernel image generation with [dracut](https://wiki.archlinux.org/title/Dracut), and automatic signing with systemd&#8209;boot.
 
-On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitpcio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux&#8209;hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re&#8209;signing of all relevant files every time the kernel or bootloader is updated.
+On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitcpio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux&#8209;hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re&#8209;signing of all relevant files every time the kernel or bootloader is updated.
 
 In my opinion, this is the most straightforward setup, with a lot of potential such as [systemd's future UKI plans including support for early&#8209;boot attestation](https://0pointer.de/blog/brave-new-trusted-boot-world.html). With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with [ZSys](https://github.com/ubuntu/zsys). More testing is needed to see if they can be made to work.
 
diff --git a/netlify.toml b/netlify.toml
index 0d3e536..0c2d0d6 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -1,8 +1,8 @@
 [build.environment]
-  HUGO_VERSION = "0.112.7"
+  HUGO_VERSION = "0.113.0"
 
 [context.deploy-preview]
-  command = "hugo -b $DEPLOY_PRIME_URL"
+  command = "sed -i 's/! Content-Security-Policy//g' static/_headers && hugo --minify"
 
 [[plugins]]
 package = "netlify-plugin-checklinks"
diff --git a/static/_headers b/static/_headers
index 1b90e23..05e6de3 100644
--- a/static/_headers
+++ b/static/_headers
@@ -11,33 +11,42 @@
   # Cross-Origin-Opener-Policy : same-origin
 
 /posts/knowledge/multi-factor-authentication/
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
   Cross-Origin-Embedder-Policy : unsafe-none
 
 /posts/android/android-tips/
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
   Cross-Origin-Embedder-Policy : unsafe-none
 
 /posts/android/choosing-your-android-based-operating-system/
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
   Cross-Origin-Embedder-Policy : unsafe-none
 
 /posts/linux/choosing-your-desktop-linux-distribution/
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
   Cross-Origin-Embedder-Policy : unsafe-none
 
 /posts/linux/desktop-linux-hardening/
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
   Cross-Origin-Embedder-Policy : unsafe-none
 
 /*.xml
+  ! Content-Security-Policy
   Content-Security-Policy : default-src 'none'; img-src 'self' data: https://www.w3.org/; style-src 'self' 'unsafe-inline'; block-all-mixed-content; base-uri 'none'
 
 /*.png
+  ! Content-Security-Policy
   Cross-Origin-Resource-Policy : cross-origin
 
 /*.jpg
+  ! Content-Security-Policy
   Cross-Origin-Resource-Policy : cross-origin
 
 /.well-known/openpgpkey/hu/*
+  ! Content-Security-Policy
   Access-Control-Allow-Origin: *