Between Safari 26.x or changes Cloudflare has made to their Automatic Platform Optimization (APO) system, something went wrong with Google based fonts on my site when viewed in Safari. Attempting to access the fonts under Safari results in 400 errors, or invalid requests. Resolving this was not immediately obvious but a snippet in the APO helped me find a path forward that restored the intended look of my site.

This FAQ answer held the secret – https://developers.cloudflare.com/automatic-platform-optimization/troubleshooting/faq/#why-are-my-font-urls-not-being-transformed. While the “question” pondered why the fonts were not being transformed, it helped me understand how I could override the default behavior of APO when it sees Google fonts being referenced. By modifying my Content Security Policy header so that fonts were not allowed from my domain I was able to restore the intended look. When APO sees the CSP won’t allow fonts to be served from the same domain, it will avoid rewriting the URL for the font. Since I don’t serve any fonts off my domain, this is a quick and easy fix to avoid the issue.