diff --git a/roles/docker-compose/tasks/04_files.yml b/roles/docker-compose/tasks/04_files.yml
index 7d032210..2a2cec89 100644
--- a/roles/docker-compose/tasks/04_files.yml
+++ b/roles/docker-compose/tasks/04_files.yml
@@ -5,7 +5,9 @@
   loop:
     - "{{ application_id | abs_role_path_by_application_id }}/templates/Dockerfile.j2"
     - "{{ application_id | abs_role_path_by_application_id }}/files/Dockerfile"
-  notify: docker compose up
+  notify: 
+    - docker compose up
+    - docker compose build
   register: create_dockerfile_result
   failed_when:
     - create_dockerfile_result is failed
diff --git a/roles/svc-prx-openresty/vars/main.yml b/roles/svc-prx-openresty/vars/main.yml
index e9117775..1d906523 100644
--- a/roles/svc-prx-openresty/vars/main.yml
+++ b/roles/svc-prx-openresty/vars/main.yml
@@ -8,4 +8,3 @@ database_type:                  ""
 OPENRESTY_IMAGE:                "openresty/openresty"
 OPENRESTY_VERSION:              "alpine"
 OPENRESTY_CONTAINER:            "{{ applications | get_app_conf(application_id, 'docker.services.openresty.name', True) }}"
-
diff --git a/roles/web-app-bookwyrm/config/main.yml b/roles/web-app-bookwyrm/config/main.yml
index 8be7e339..1a1a8085 100644
--- a/roles/web-app-bookwyrm/config/main.yml
+++ b/roles/web-app-bookwyrm/config/main.yml
@@ -24,7 +24,11 @@ features:
 server:
   csp:
     whitelist: {}
-    flags: {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "book.{{ PRIMARY_DOMAIN }}"
diff --git a/roles/web-app-confluence/README.md b/roles/web-app-confluence/README.md
index 987a04bc..afd512a9 100644
--- a/roles/web-app-confluence/README.md
+++ b/roles/web-app-confluence/README.md
@@ -17,7 +17,7 @@ The role builds a minimal custom image on top of the official Confluence image,
 * **JVM Auto-Tuning:** `JVM_MINIMUM_MEMORY` / `JVM_MAXIMUM_MEMORY` computed from host memory with upper bounds.
 * **Health Checks:** Curl-based container healthcheck for early failure detection.
 * **CSP & Canonical Domains:** Hooks into platform CSP/SSL/domain management to keep policies strict and URLs stable.
-* **Backup Friendly:** Data isolated under `/var/atlassian/application-data/confluence`.
+* **Backup Friendly:** Data isolated under `{{ CONFLUENCE_HOME }}`.
 
 ## Further Resources
 
diff --git a/roles/web-app-confluence/config/main.yml b/roles/web-app-confluence/config/main.yml
index 439381b5..c5f80b8d 100644
--- a/roles/web-app-confluence/config/main.yml
+++ b/roles/web-app-confluence/config/main.yml
@@ -20,7 +20,11 @@ features:
 server:
   csp:
     whitelist:      {}
-    flags:          {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "confluence.{{ PRIMARY_DOMAIN }}"
diff --git a/roles/web-app-confluence/templates/Dockerfile.j2 b/roles/web-app-confluence/templates/Dockerfile.j2
index d05160e7..7ce017a1 100644
--- a/roles/web-app-confluence/templates/Dockerfile.j2
+++ b/roles/web-app-confluence/templates/Dockerfile.j2
@@ -4,5 +4,7 @@ FROM "{{ CONFLUENCE_IMAGE }}:{{ CONFLUENCE_VERSION }}"
 # COPY ./plugins/atlassian-sso-dc-latest.obr /opt/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/
 
 # Ensure proper permissions for app data
-RUN mkdir -p /var/atlassian/application-data/confluence && \
-    chown -R 2001:2001 /var/atlassian/application-data/confluence
\ No newline at end of file
+RUN mkdir -p {{ CONFLUENCE_HOME }} && \
+    chown -R 2001:2001 {{ CONFLUENCE_HOME }}
+RUN printf "confluence.home={{ CONFLUENCE_HOME }}\n" \
+  > /opt/atlassian/confluence/confluence/WEB-INF/classes/confluence-init.properties
\ No newline at end of file
diff --git a/roles/web-app-confluence/templates/docker-compose.yml.j2 b/roles/web-app-confluence/templates/docker-compose.yml.j2
index 1efb6b5a..dbc74b2d 100644
--- a/roles/web-app-confluence/templates/docker-compose.yml.j2
+++ b/roles/web-app-confluence/templates/docker-compose.yml.j2
@@ -9,7 +9,7 @@
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:8090"
     volumes:
-      - 'data:/var/atlassian/application-data/confluence'
+      - 'data:{{ CONFLUENCE_HOME }}'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
diff --git a/roles/web-app-confluence/templates/env.j2 b/roles/web-app-confluence/templates/env.j2
index b0470d3e..57929c80 100644
--- a/roles/web-app-confluence/templates/env.j2
+++ b/roles/web-app-confluence/templates/env.j2
@@ -1,6 +1,6 @@
 ## Confluence core
 CONFLUENCE_URL="{{ CONFLUENCE_URL }}"
-
+CONFLUENCE_HOME="{{ CONFLUENCE_HOME }}"
 
 ATL_PROXY_NAME={{ CONFLUENCE_HOSTNAME }}
 ATL_PROXY_PORT={{ WEB_PORT }}
@@ -9,6 +9,8 @@ ATL_TOMCAT_SECURE={{ (WEB_PORT == 443) | lower }}
 JVM_MINIMUM_MEMORY={{ CONFLUENCE_JVM_MIN }}
 JVM_MAXIMUM_MEMORY={{ CONFLUENCE_JVM_MAX }}
 
+JVM_SUPPORT_RECOMMENDED_ARGS=-Datlassian.home={{ CONFLUENCE_HOME }}
+
 ## Database
 ATL_DB_TYPE=postgresql
 ATL_DB_DRIVER=org.postgresql.Driver
@@ -16,8 +18,8 @@ ATL_JDBC_URL=jdbc:postgresql://{{ database_host }}:{{ database_port }}/{{ databa
 ATL_JDBC_USER={{ database_username }}
 ATL_JDBC_PASSWORD={{ database_password }}
 
-## OIDC
 {% if CONFLUENCE_OIDC_ENABLED %}
+## OIDC
 CONFLUENCE_OIDC_TITLE="{{ CONFLUENCE_OIDC_LABEL | replace('\"','\\\"') }}"
 CONFLUENCE_OIDC_ISSUER="{{ CONFLUENCE_OIDC_ISSUER }}"
 CONFLUENCE_OIDC_AUTHORIZATION_ENDPOINT="{{ CONFLUENCE_OIDC_AUTH_URL }}"
diff --git a/roles/web-app-confluence/vars/main.yml b/roles/web-app-confluence/vars/main.yml
index 3357ea8d..82d7cac6 100644
--- a/roles/web-app-confluence/vars/main.yml
+++ b/roles/web-app-confluence/vars/main.yml
@@ -11,6 +11,7 @@ container_hostname:               "{{ domains | get_domain(application_id) }}"
 ## URLs
 CONFLUENCE_URL:                   "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 CONFLUENCE_HOSTNAME:              "{{ container_hostname }}"
+CONFLUENCE_HOME:                  "/var/atlassian/application-data/confluence"
 
 ## OIDC
 CONFLUENCE_OIDC_ENABLED:          "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
diff --git a/roles/web-app-jira/config/main.yml b/roles/web-app-jira/config/main.yml
index ed84d82e..f941f9f5 100644
--- a/roles/web-app-jira/config/main.yml
+++ b/roles/web-app-jira/config/main.yml
@@ -21,7 +21,11 @@ features:
 server:
   csp:
     whitelist:      {}
-    flags:          {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "jira.{{ PRIMARY_DOMAIN }}"