diff --git a/crates/app/src/main.rs b/crates/app/src/main.rs
index 1236d53..75a9c02 100644
--- a/crates/app/src/main.rs
+++ b/crates/app/src/main.rs
@@ -130,7 +130,7 @@ async fn main() {
         )
         .layer(SetResponseHeaderLayer::if_not_present(
             HeaderName::from_static("content-security-policy"),
-            HeaderValue::from_static("default-src 'self' *.spotify.com musicbrainz.org; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' *; script-src 'self' 'unsafe-inline' *; object-src 'self' *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self'; frame-ancestors 'self'"),
+            HeaderValue::from_static("default-src 'self' *.spotify.com musicbrainz.org; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' *; script-src 'self' 'unsafe-inline' *; object-src 'self' *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self' *.cloudflare.com; frame-ancestors 'self'"),
         ))
         .layer(CatchPanicLayer::new());
 
diff --git a/crates/app/src/routes/pages/journals.rs b/crates/app/src/routes/pages/journals.rs
index ff6a738..ca48e78 100644
--- a/crates/app/src/routes/pages/journals.rs
+++ b/crates/app/src/routes/pages/journals.rs
@@ -365,7 +365,7 @@ pub async fn global_view_request(
     Ok((
         [(
             "content-security-policy",
-            "default-src 'self' *.spotify.com musicbrainz.org; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' *; script-src 'self' 'unsafe-inline' *; object-src 'self' *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self'; frame-ancestors *",
+            "default-src 'self' *.spotify.com musicbrainz.org; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' *; script-src 'self' 'unsafe-inline' *; object-src 'self' *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self' *.cloudflare.com; frame-ancestors *",
         )],
         Html(data.1.render("journals/app.html", &context).unwrap()),
     ))
diff --git a/crates/core/src/database/invite_codes.rs b/crates/core/src/database/invite_codes.rs
index ba31155..084cfb3 100644
--- a/crates/core/src/database/invite_codes.rs
+++ b/crates/core/src/database/invite_codes.rs
@@ -103,11 +103,13 @@ impl DataManager {
     /// # Arguments
     /// * `data` - a mock [`InviteCode`] object to insert
     pub async fn create_invite_code(&self, data: InviteCode, user: &User) -> Result<InviteCode> {
-        // check account creation date
-        if unix_epoch_timestamp() - user.created < Self::MINIMUM_ACCOUNT_AGE_FOR_INVITE_CODES {
-            return Err(Error::MiscError(
-                "Your account is too young to do this".to_string(),
-            ));
+        // check account creation date (if we aren't a supporter OR this is a purchased account)
+        if !user.permissions.check(FinePermission::SUPPORTER) | user.was_purchased {
+            if unix_epoch_timestamp() - user.created < Self::MINIMUM_ACCOUNT_AGE_FOR_INVITE_CODES {
+                return Err(Error::MiscError(
+                    "Your account is too young to do this".to_string(),
+                ));
+            }
         }
 
         // ...