diff --git a/.env.example b/.env.example
index b47c683c5..2be08224b 100644
--- a/.env.example
+++ b/.env.example
@@ -126,3 +126,8 @@ HTTP_X_FORWARDED_PROTO=false
 # which will be accepted.
 TWO_FACTOR_LOGIN_VALIDITY_WINDOW=2
 TWO_FACTOR_LOGIN_MAX_SECONDS=60
+
+# Additional hosts to allow in the Content-Security-Policy, "self" (should be DOMAIN)
+# and AWS_S3_CUSTOM_DOMAIN (if used) are added by default.
+# Value should be a comma-separated list of host names.
+CSP_ADDITIONAL_HOSTS=
diff --git a/bookwyrm/forms/status.py b/bookwyrm/forms/status.py
index 0800166bf..b562595ee 100644
--- a/bookwyrm/forms/status.py
+++ b/bookwyrm/forms/status.py
@@ -53,6 +53,7 @@ class QuotationForm(CustomForm):
             "sensitive",
             "privacy",
             "position",
+            "endposition",
             "position_mode",
         ]
 
diff --git a/bookwyrm/migrations/0174_auto_20230130_1240.py b/bookwyrm/migrations/0174_auto_20230130_1240.py
new file mode 100644
index 000000000..7337b6b46
--- /dev/null
+++ b/bookwyrm/migrations/0174_auto_20230130_1240.py
@@ -0,0 +1,35 @@
+# Generated by Django 3.2.16 on 2023-01-30 12:40
+
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+        ("bookwyrm", "0173_default_user_auth_group_setting"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="quotation",
+            name="endposition",
+            field=models.IntegerField(
+                blank=True,
+                null=True,
+                validators=[django.core.validators.MinValueValidator(0)],
+            ),
+        ),
+        migrations.AlterField(
+            model_name="sitesettings",
+            name="default_user_auth_group",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                to="auth.group",
+            ),
+        ),
+    ]
diff --git a/bookwyrm/models/activitypub_mixin.py b/bookwyrm/models/activitypub_mixin.py
index 9361854ba..ec1c34a40 100644
--- a/bookwyrm/models/activitypub_mixin.py
+++ b/bookwyrm/models/activitypub_mixin.py
@@ -21,7 +21,7 @@ from django.utils.http import http_date
 from bookwyrm import activitypub
 from bookwyrm.settings import USER_AGENT, PAGE_LENGTH
 from bookwyrm.signatures import make_signature, make_digest
-from bookwyrm.tasks import app, MEDIUM
+from bookwyrm.tasks import app, MEDIUM, BROADCAST
 from bookwyrm.models.fields import ImageField, ManyToManyField
 
 logger = logging.getLogger(__name__)
@@ -126,7 +126,7 @@ class ActivitypubMixin:
         # there OUGHT to be only one match
         return match.first()
 
-    def broadcast(self, activity, sender, software=None, queue=MEDIUM):
+    def broadcast(self, activity, sender, software=None, queue=BROADCAST):
         """send out an activity"""
         broadcast_task.apply_async(
             args=(
@@ -198,7 +198,7 @@ class ActivitypubMixin:
 class ObjectMixin(ActivitypubMixin):
     """add this mixin for object models that are AP serializable"""
 
-    def save(self, *args, created=None, software=None, priority=MEDIUM, **kwargs):
+    def save(self, *args, created=None, software=None, priority=BROADCAST, **kwargs):
         """broadcast created/updated/deleted objects as appropriate"""
         broadcast = kwargs.get("broadcast", True)
         # this bonus kwarg would cause an error in the base save method
@@ -506,7 +506,7 @@ def unfurl_related_field(related_field, sort_field=None):
     return related_field.remote_id
 
 
-@app.task(queue=MEDIUM)
+@app.task(queue=BROADCAST)
 def broadcast_task(sender_id: int, activity: str, recipients: List[str]):
     """the celery task for broadcast"""
     user_model = apps.get_model("bookwyrm.User", require_ready=True)
diff --git a/bookwyrm/models/site.py b/bookwyrm/models/site.py
index e40609f36..35f007be2 100644
--- a/bookwyrm/models/site.py
+++ b/bookwyrm/models/site.py
@@ -72,7 +72,7 @@ class SiteSettings(SiteModel):
     invite_request_question = models.BooleanField(default=False)
     require_confirm_email = models.BooleanField(default=True)
     default_user_auth_group = models.ForeignKey(
-        auth_models.Group, null=True, blank=True, on_delete=models.PROTECT
+        auth_models.Group, null=True, blank=True, on_delete=models.RESTRICT
     )
 
     invite_question_text = models.CharField(
diff --git a/bookwyrm/models/status.py b/bookwyrm/models/status.py
index bd99deee5..e51c7b2a1 100644
--- a/bookwyrm/models/status.py
+++ b/bookwyrm/models/status.py
@@ -329,6 +329,9 @@ class Quotation(BookStatus):
     position = models.IntegerField(
         validators=[MinValueValidator(0)], null=True, blank=True
     )
+    endposition = models.IntegerField(
+        validators=[MinValueValidator(0)], null=True, blank=True
+    )
     position_mode = models.CharField(
         max_length=3,
         choices=ProgressMode.choices,
diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py
index 51f3fe8a7..bf0467ebc 100644
--- a/bookwyrm/settings.py
+++ b/bookwyrm/settings.py
@@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
 env = Env()
 env.read_env()
 DOMAIN = env("DOMAIN")
-VERSION = "0.5.4"
+VERSION = "0.5.5"
 
 RELEASE_API = env(
     "RELEASE_API",
@@ -101,6 +101,7 @@ MIDDLEWARE = [
     "django.middleware.locale.LocaleMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "bookwyrm.middleware.TimezoneMiddleware",
     "bookwyrm.middleware.IPBlocklistMiddleware",
@@ -329,12 +330,15 @@ IMAGEKIT_DEFAULT_CACHEFILE_STRATEGY = "bookwyrm.thumbnail_generation.Strategy"
 # https://docs.djangoproject.com/en/3.2/howto/static-files/
 
 PROJECT_DIR = os.path.dirname(os.path.abspath(__file__))
+CSP_ADDITIONAL_HOSTS = env.list("CSP_ADDITIONAL_HOSTS", [])
 
 # Storage
 
 PROTOCOL = "http"
 if USE_HTTPS:
     PROTOCOL = "https"
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
 
 USE_S3 = env.bool("USE_S3", False)
 
@@ -358,11 +362,17 @@ if USE_S3:
     MEDIA_FULL_URL = MEDIA_URL
     STATIC_FULL_URL = STATIC_URL
     DEFAULT_FILE_STORAGE = "bookwyrm.storage_backends.ImagesStorage"
+    CSP_DEFAULT_SRC = ["'self'", AWS_S3_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS
+    CSP_SCRIPT_SRC = ["'self'", AWS_S3_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS
 else:
     STATIC_URL = "/static/"
     MEDIA_URL = "/images/"
     MEDIA_FULL_URL = f"{PROTOCOL}://{DOMAIN}{MEDIA_URL}"
     STATIC_FULL_URL = f"{PROTOCOL}://{DOMAIN}{STATIC_URL}"
+    CSP_DEFAULT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS
+    CSP_SCRIPT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS
+
+CSP_INCLUDE_NONCE_IN = ["script-src"]
 
 OTEL_EXPORTER_OTLP_ENDPOINT = env("OTEL_EXPORTER_OTLP_ENDPOINT", None)
 OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
diff --git a/bookwyrm/signatures.py b/bookwyrm/signatures.py
index 772d39cce..3102f8da2 100644
--- a/bookwyrm/signatures.py
+++ b/bookwyrm/signatures.py
@@ -15,7 +15,7 @@ MAX_SIGNATURE_AGE = 300
 def create_key_pair():
     """a new public/private key pair, used for creating new users"""
     random_generator = Random.new().read
-    key = RSA.generate(1024, random_generator)
+    key = RSA.generate(2048, random_generator)
     private_key = key.export_key().decode("utf8")
     public_key = key.public_key().export_key().decode("utf8")
 
diff --git a/bookwyrm/static/css/bookwyrm/overrides/_bulma_overrides.scss b/bookwyrm/static/css/bookwyrm/overrides/_bulma_overrides.scss
index cdcd74202..9ab44f89d 100644
--- a/bookwyrm/static/css/bookwyrm/overrides/_bulma_overrides.scss
+++ b/bookwyrm/static/css/bookwyrm/overrides/_bulma_overrides.scss
@@ -40,7 +40,7 @@
             }
 
             .navbar-item {
-                // see ../components/_details.scss :: Navbar details
+                /* see ../components/_details.scss :: Navbar details */
                 padding-right: 1.75rem;
                 font-size: 1rem;
             }
@@ -109,3 +109,9 @@
     max-height: 35em;
     overflow: hidden;
 }
+
+.dropdown-menu .button {
+    @include mobile {
+        font-size: $size-6;
+    }
+}
diff --git a/bookwyrm/tasks.py b/bookwyrm/tasks.py
index ec018e179..91977afda 100644
--- a/bookwyrm/tasks.py
+++ b/bookwyrm/tasks.py
@@ -16,3 +16,5 @@ MEDIUM = "medium_priority"
 HIGH = "high_priority"
 # import items get their own queue because they're such a pain in the ass
 IMPORTS = "imports"
+# I keep making more queues?? this one broadcasting out
+BROADCAST = "broadcast"
diff --git a/bookwyrm/templates/discover/large-book.html b/bookwyrm/templates/discover/large-book.html
index f016a2f65..939544987 100644
--- a/bookwyrm/templates/discover/large-book.html
+++ b/bookwyrm/templates/discover/large-book.html
@@ -46,7 +46,7 @@
             </div>
 
             <div class="notification has-background-body p-2 mb-2 clip-text">
-                {% include "snippets/status/content_status.html" with hide_book=True trim_length=70 hide_more=True %}
+                {% include "snippets/status/content_status.html" with hide_book=True trim_length=70 hide_more=True expand=False %}
             </div>
             <a href="{{ status.remote_id }}">
                 <span>{% trans "View status" %}</span>
diff --git a/bookwyrm/templates/feed/status.html b/bookwyrm/templates/feed/status.html
index ccec6503c..c05d2ba46 100644
--- a/bookwyrm/templates/feed/status.html
+++ b/bookwyrm/templates/feed/status.html
@@ -30,7 +30,7 @@
         {% endif %}
         {% endfor %}
         <div class="is-main block">
-            {% include 'snippets/status/status.html' with status=status main=True %}
+            {% include 'snippets/status/status.html' with status=status main=True expand=True %}
         </div>
 
         {% for child in children %}
diff --git a/bookwyrm/templates/guided_tour/book.html b/bookwyrm/templates/guided_tour/book.html
index 44a37f65e..a0d60e831 100644
--- a/bookwyrm/templates/guided_tour/book.html
+++ b/bookwyrm/templates/guided_tour/book.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/group.html b/bookwyrm/templates/guided_tour/group.html
index 088437233..98fa4757a 100644
--- a/bookwyrm/templates/guided_tour/group.html
+++ b/bookwyrm/templates/guided_tour/group.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/home.html b/bookwyrm/templates/guided_tour/home.html
index 37e874afa..be8d095af 100644
--- a/bookwyrm/templates/guided_tour/home.html
+++ b/bookwyrm/templates/guided_tour/home.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 const initiateTour = new Shepherd.Tour({
     exitOnEsc: true,
 });
diff --git a/bookwyrm/templates/guided_tour/lists.html b/bookwyrm/templates/guided_tour/lists.html
index 4c4d241c8..72218e395 100644
--- a/bookwyrm/templates/guided_tour/lists.html
+++ b/bookwyrm/templates/guided_tour/lists.html
@@ -2,7 +2,7 @@
 {% load utilities %}
 {% load user_page_tags %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
diff --git a/bookwyrm/templates/guided_tour/search.html b/bookwyrm/templates/guided_tour/search.html
index 3e726aeb8..8a96ae0dc 100644
--- a/bookwyrm/templates/guided_tour/search.html
+++ b/bookwyrm/templates/guided_tour/search.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 
     let localResult = document.querySelector(".local-book-search-result");
     let remoteResult = document.querySelector(".remote-book-search-result");
diff --git a/bookwyrm/templates/guided_tour/user_books.html b/bookwyrm/templates/guided_tour/user_books.html
index 2a4629050..c86d3cd34 100644
--- a/bookwyrm/templates/guided_tour/user_books.html
+++ b/bookwyrm/templates/guided_tour/user_books.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/user_groups.html b/bookwyrm/templates/guided_tour/user_groups.html
index fc6169521..58502fbc9 100644
--- a/bookwyrm/templates/guided_tour/user_groups.html
+++ b/bookwyrm/templates/guided_tour/user_groups.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/user_profile.html b/bookwyrm/templates/guided_tour/user_profile.html
index 29a94a2ad..f831744b9 100644
--- a/bookwyrm/templates/guided_tour/user_profile.html
+++ b/bookwyrm/templates/guided_tour/user_profile.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 const tour = new Shepherd.Tour({
     exitOnEsc: true,
 });
diff --git a/bookwyrm/templates/layout.html b/bookwyrm/templates/layout.html
index 1227e39c4..c3408f44e 100644
--- a/bookwyrm/templates/layout.html
+++ b/bookwyrm/templates/layout.html
@@ -183,7 +183,7 @@
 {% include 'snippets/footer.html' %}
 {% endblock %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     var csrf_token = '{{ csrf_token }}';
 </script>
 
diff --git a/bookwyrm/templates/ostatus/template.html b/bookwyrm/templates/ostatus/template.html
index eb904a693..25d2430c0 100644
--- a/bookwyrm/templates/ostatus/template.html
+++ b/bookwyrm/templates/ostatus/template.html
@@ -11,7 +11,7 @@
     <title>{% block title %}{% endblock %}</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <link href="{% sass_src site_theme %}" rel="stylesheet" type="text/css" />
-    <script>
+    <script nonce="{{request.csp_nonce}}">
         function closeWindow() {
             window.close();
         }
@@ -32,7 +32,7 @@
     </div>
 </div>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     var csrf_token = '{{ csrf_token }}';
 </script>
 <script src="{% static 'js/bookwyrm.js' %}?v={{ js_cache }}"></script>
diff --git a/bookwyrm/templates/settings/celery.html b/bookwyrm/templates/settings/celery.html
index 6a3ee6574..65315da01 100644
--- a/bookwyrm/templates/settings/celery.html
+++ b/bookwyrm/templates/settings/celery.html
@@ -20,31 +20,37 @@
 {% if queues %}
 <section class="block content">
     <h2>{% trans "Queues" %}</h2>
-    <div class="columns has-text-centered">
-        <div class="column is-3">
+    <div class="columns has-text-centered is-multiline">
+        <div class="column is-4">
             <div class="notification">
                 <p class="header">{% trans "Low priority" %}</p>
                 <p class="title is-5">{{ queues.low_priority|intcomma }}</p>
             </div>
         </div>
-        <div class="column is-3">
+        <div class="column is-4">
             <div class="notification">
                 <p class="header">{% trans "Medium priority" %}</p>
                 <p class="title is-5">{{ queues.medium_priority|intcomma }}</p>
             </div>
         </div>
-        <div class="column is-3">
+        <div class="column is-4">
             <div class="notification">
                 <p class="header">{% trans "High priority" %}</p>
                 <p class="title is-5">{{ queues.high_priority|intcomma }}</p>
             </div>
         </div>
-        <div class="column is-3">
+        <div class="column is-6">
             <div class="notification">
                 <p class="header">{% trans "Imports" %}</p>
                 <p class="title is-5">{{ queues.imports|intcomma }}</p>
             </div>
         </div>
+        <div class="column is-6">
+            <div class="notification">
+                <p class="header">{% trans "Broadcasts" %}</p>
+                <p class="title is-5">{{ queues.broadcast|intcomma }}</p>
+            </div>
+        </div>
     </div>
 </section>
 {% else %}
diff --git a/bookwyrm/templates/settings/dashboard/registration_chart.html b/bookwyrm/templates/settings/dashboard/registration_chart.html
index 3b258fec8..bb51ed8bc 100644
--- a/bookwyrm/templates/settings/dashboard/registration_chart.html
+++ b/bookwyrm/templates/settings/dashboard/registration_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 var registerStats = new Chart(
     document.getElementById('register_stats'),
     {
diff --git a/bookwyrm/templates/settings/dashboard/status_chart.html b/bookwyrm/templates/settings/dashboard/status_chart.html
index a59036a51..93ea315ab 100644
--- a/bookwyrm/templates/settings/dashboard/status_chart.html
+++ b/bookwyrm/templates/settings/dashboard/status_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var statusStats = new Chart(
     document.getElementById('status_stats'),
diff --git a/bookwyrm/templates/settings/dashboard/user_chart.html b/bookwyrm/templates/settings/dashboard/user_chart.html
index a8d356bb8..499554af6 100644
--- a/bookwyrm/templates/settings/dashboard/user_chart.html
+++ b/bookwyrm/templates/settings/dashboard/user_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var userStats = new Chart(
     document.getElementById('user_stats'),
diff --git a/bookwyrm/templates/settings/dashboard/works_chart.html b/bookwyrm/templates/settings/dashboard/works_chart.html
index c65014e98..41cb13a6b 100644
--- a/bookwyrm/templates/settings/dashboard/works_chart.html
+++ b/bookwyrm/templates/settings/dashboard/works_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var worksStats = new Chart(
     document.getElementById('works_stats'),
diff --git a/bookwyrm/templates/snippets/create_status/quotation.html b/bookwyrm/templates/snippets/create_status/quotation.html
index a9ddb17f4..bd1d817ad 100644
--- a/bookwyrm/templates/snippets/create_status/quotation.html
+++ b/bookwyrm/templates/snippets/create_status/quotation.html
@@ -65,6 +65,22 @@ uuid: a unique identifier used to make html "id" attributes unique and clarify j
                     {% if not draft %}data-cache-draft="id_position_{{ book.id }}_{{ type }}"{% endif %}
                 >
             </div>
+            <div class="button is-static">
+                {% trans "to" %}
+            </div>
+            <div class="control">
+                <input
+                    aria-label="{% if draft.position_mode == 'PG' %}Page{% else %}Percent{% endif %}"
+                    class="input"
+                    type="number"
+                    min="0"
+                    name="endposition"
+                    size="3"
+                    value="{% firstof draft.endposition '' %}"
+                    id="endposition_{{ uuid }}"
+                    {% if not draft %}data-cache-draft="id_endposition_{{ book.id }}_{{ type }}"{% endif %}
+                >
+            </div>
         </div>
     </div>
 {% endblock %}
diff --git a/bookwyrm/templates/snippets/pagination.html b/bookwyrm/templates/snippets/pagination.html
index db2396ae7..85f966f50 100644
--- a/bookwyrm/templates/snippets/pagination.html
+++ b/bookwyrm/templates/snippets/pagination.html
@@ -9,7 +9,7 @@
         {% endif %}>
 
         <span class="icon icon-arrow-left" aria-hidden="true"></span>
-        {% trans "Previous" %}
+        {% trans "Older" %}
     </a>
 
     <a
@@ -20,7 +20,7 @@
         aria-hidden="true"
         {% endif %}>
 
-        {% trans "Next" %}
+        {% trans "Newer" %}
         <span class="icon icon-arrow-right" aria-hidden="true"></span>
     </a>
 
diff --git a/bookwyrm/templates/snippets/report_button.html b/bookwyrm/templates/snippets/report_button.html
index 60b542f43..92d70699c 100644
--- a/bookwyrm/templates/snippets/report_button.html
+++ b/bookwyrm/templates/snippets/report_button.html
@@ -5,7 +5,7 @@
 
 {% join "report" report_uuid as modal_id %}
 <button
-    class="button is-small is-danger is-light is-fullwidth"
+    class="button is-small is-danger is-light is-fullwidth {{ class }}"
     type="button"
     data-modal-open="{{ modal_id }}"
     {% if is_current %}disabled{% endif %}
diff --git a/bookwyrm/templates/snippets/status/body.html b/bookwyrm/templates/snippets/status/body.html
index 2c8a0e045..cd3b3cd43 100644
--- a/bookwyrm/templates/snippets/status/body.html
+++ b/bookwyrm/templates/snippets/status/body.html
@@ -6,9 +6,8 @@
 {% if status_type == 'GeneratedNote' or status_type == 'Rating' %}
     {% include 'snippets/status/generated_status.html' with status=status %}
 {% else %}
-    {% include 'snippets/status/content_status.html' with status=status %}
+    {% include 'snippets/status/content_status.html' with status=status expand=expand %}
 {% endif %}
 
 {% endwith %}
 {% endblock %}
-
diff --git a/bookwyrm/templates/snippets/status/content_status.html b/bookwyrm/templates/snippets/status/content_status.html
index e39284fcf..138a442af 100644
--- a/bookwyrm/templates/snippets/status/content_status.html
+++ b/bookwyrm/templates/snippets/status/content_status.html
@@ -99,9 +99,9 @@
                             &mdash; {% include 'snippets/book_titleby.html' with book=status.book %}
                             {% if status.position %}
                                 {% if status.position_mode == 'PG' %}
-                                    {% blocktrans with page=status.position|intcomma %}(Page {{ page }}){% endblocktrans %}
+                                    {% blocktrans with page=status.position|intcomma %}(Page {{ page }}{% endblocktrans%}{% if status.endposition and status.endposition != status.position %} - {% blocktrans with endpage=status.endposition|intcomma %}{{ endpage }}{% endblocktrans %}{% endif%})
                                 {% else %}
-                                    {% blocktrans with percent=status.position %}({{ percent }}%){% endblocktrans %}
+                                    {% blocktrans with percent=status.position %}({{ percent }}%{% endblocktrans %}{% if status.endposition and status.endposition != status.position %}{% blocktrans with endpercent=status.endposition|intcomma %} - {{ endpercent }}%{% endblocktrans %}{% endif %})
                                 {% endif %}
                             {% endif %}
                         </p>
@@ -109,7 +109,7 @@
                 {% endif %}
 
                 {% if status.content and status_type != 'GeneratedNote' and status_type != 'Announce' %}
-                    {% with full=status.content|safe no_trim=status.content_warning itemprop="reviewBody" %}
+                    {% with full=status.content|safe no_trim=status.content_warning|default:expand itemprop="reviewBody" %}
                         {% include 'snippets/trimmed_text.html' %}
                     {% endwith %}
                 {% endif %}
@@ -155,4 +155,3 @@
 </div>
 
 {% endwith %}
-
diff --git a/bookwyrm/templates/snippets/status/status.html b/bookwyrm/templates/snippets/status/status.html
index eb0c409eb..a04b76700 100644
--- a/bookwyrm/templates/snippets/status/status.html
+++ b/bookwyrm/templates/snippets/status/status.html
@@ -10,6 +10,6 @@
         {% trans "boosted" %}
         {% include 'snippets/status/body.html' with status=status|boosted_status %}
     {% else %}
-        {% include 'snippets/status/body.html' with status=status %}
+        {% include 'snippets/status/body.html' with status=status expand=expand %}
     {% endif %}
 {% endif %}
diff --git a/bookwyrm/tests/views/books/test_book.py b/bookwyrm/tests/views/books/test_book.py
index e536ef736..a829c4a4b 100644
--- a/bookwyrm/tests/views/books/test_book.py
+++ b/bookwyrm/tests/views/books/test_book.py
@@ -257,6 +257,33 @@ class BookViews(TestCase):
         self.assertEqual(mock.call_args[0][0], "https://openlibrary.org/book/123")
         self.assertEqual(result.status_code, 302)
 
+    @patch("bookwyrm.models.activitypub_mixin.broadcast_task.apply_async")
+    @patch("bookwyrm.activitystreams.add_status_task.delay")
+    def test_quotation_endposition(self, *_):
+        """make sure the endposition is served as well"""
+        view = views.Book.as_view()
+
+        _ = models.Quotation.objects.create(
+            user=self.local_user,
+            book=self.book,
+            content="hi",
+            quote="wow",
+            position=12,
+            endposition=13,
+        )
+
+        request = self.factory.get("")
+        request.user = self.local_user
+
+        with patch("bookwyrm.views.books.books.is_api_request") as is_api:
+            is_api.return_value = False
+            result = view(request, self.book.id, user_statuses="quotation")
+        self.assertIsInstance(result, TemplateResponse)
+        validate_html(result.render())
+        print(result.render())
+        self.assertEqual(result.status_code, 200)
+        self.assertEqual(result.context_data["statuses"].object_list[0].endposition, 13)
+
 
 def _setup_cover_url():
     """creates cover url mock"""
diff --git a/bookwyrm/tests/views/test_discover.py b/bookwyrm/tests/views/test_discover.py
index b0989da8f..ffe8c51c9 100644
--- a/bookwyrm/tests/views/test_discover.py
+++ b/bookwyrm/tests/views/test_discover.py
@@ -11,6 +11,7 @@ from bookwyrm.tests.validate_html import validate_html
 class DiscoverViews(TestCase):
     """pages you land on without really trying"""
 
+    # pylint: disable=invalid-name
     def setUp(self):
         """we need basic test data and mocks"""
         self.factory = RequestFactory()
@@ -43,7 +44,7 @@ class DiscoverViews(TestCase):
 
     @patch("bookwyrm.models.activitypub_mixin.broadcast_task.apply_async")
     @patch("bookwyrm.activitystreams.add_status_task.delay")
-    def test_discover_page(self, *_):
+    def test_discover_page_with_posts(self, *_):
         """there are so many views, this just makes sure it LOADS"""
         view = views.Discover.as_view()
         request = self.factory.get("")
@@ -53,17 +54,34 @@ class DiscoverViews(TestCase):
             title="hi", parent_work=models.Work.objects.create(title="work")
         )
 
+        models.ReviewRating.objects.create(
+            book=book,
+            user=self.local_user,
+            rating=4,
+        )
+        models.Review.objects.create(
+            book=book,
+            user=self.local_user,
+            content="hello",
+            rating=4,
+        )
         models.Comment.objects.create(
             book=book,
             user=self.local_user,
             content="hello",
         )
+        models.Quotation.objects.create(
+            book=book,
+            user=self.local_user,
+            quote="beep",
+            content="hello",
+        )
         models.Status.objects.create(user=self.local_user, content="beep")
 
         with patch(
             "bookwyrm.activitystreams.ActivityStream.get_activity_stream"
         ) as mock:
-            mock.return_value = models.Status.objects.all()
+            mock.return_value = models.Status.objects.select_subclasses().all()
             result = view(request)
         self.assertEqual(mock.call_count, 1)
         self.assertEqual(result.status_code, 200)
diff --git a/bookwyrm/views/admin/celery_status.py b/bookwyrm/views/admin/celery_status.py
index 8c6b9f5a3..e0b1fe18c 100644
--- a/bookwyrm/views/admin/celery_status.py
+++ b/bookwyrm/views/admin/celery_status.py
@@ -8,7 +8,7 @@ from django.views.decorators.http import require_GET
 import redis
 
 from celerywyrm import settings
-from bookwyrm.tasks import app as celery
+from bookwyrm.tasks import app as celery, LOW, MEDIUM, HIGH, IMPORTS, BROADCAST
 
 r = redis.from_url(settings.REDIS_BROKER_URL)
 
@@ -35,10 +35,11 @@ class CeleryStatus(View):
 
         try:
             queues = {
-                "low_priority": r.llen("low_priority"),
-                "medium_priority": r.llen("medium_priority"),
-                "high_priority": r.llen("high_priority"),
-                "imports": r.llen("imports"),
+                LOW: r.llen(LOW),
+                MEDIUM: r.llen(MEDIUM),
+                HIGH: r.llen(HIGH),
+                IMPORTS: r.llen(IMPORTS),
+                BROADCAST: r.llen(BROADCAST),
             }
         # pylint: disable=broad-except
         except Exception as err:
diff --git a/bookwyrm/views/admin/dashboard.py b/bookwyrm/views/admin/dashboard.py
index 19583bfa1..682f2d811 100644
--- a/bookwyrm/views/admin/dashboard.py
+++ b/bookwyrm/views/admin/dashboard.py
@@ -12,6 +12,8 @@ from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views import View
 
+from csp.decorators import csp_update
+
 from bookwyrm import models, settings
 from bookwyrm.connectors.abstract_connector import get_data
 from bookwyrm.connectors.connector_manager import ConnectorException
@@ -27,6 +29,9 @@ from bookwyrm.utils import regex
 class Dashboard(View):
     """admin overview"""
 
+    @csp_update(
+        SCRIPT_SRC="https://cdn.jsdelivr.net/npm/chart.js@3.5.1/dist/chart.min.js"
+    )
     def get(self, request):
         """list of users"""
         data = get_charts_and_stats(request)
diff --git a/bookwyrm/views/search.py b/bookwyrm/views/search.py
index f7d552a4e..bc3b2aa57 100644
--- a/bookwyrm/views/search.py
+++ b/bookwyrm/views/search.py
@@ -8,6 +8,8 @@ from django.http import JsonResponse
 from django.template.response import TemplateResponse
 from django.views import View
 
+from csp.decorators import csp_update
+
 from bookwyrm import models
 from bookwyrm.connectors import connector_manager
 from bookwyrm.book_search import search, format_search_result
@@ -21,6 +23,7 @@ from .helpers import handle_remote_webfinger
 class Search(View):
     """search users or books"""
 
+    @csp_update(IMG_SRC="*")
     def get(self, request):
         """that search bar up top"""
         if is_api_request(request):
diff --git a/contrib/systemd/bookwyrm-worker.service b/contrib/systemd/bookwyrm-worker.service
index d79fdabf6..e4f1e98b5 100644
--- a/contrib/systemd/bookwyrm-worker.service
+++ b/contrib/systemd/bookwyrm-worker.service
@@ -6,7 +6,7 @@ After=network.target postgresql.service redis.service
 User=bookwyrm
 Group=bookwyrm
 WorkingDirectory=/opt/bookwyrm/
-ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,import
+ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,import,broadcast
 StandardOutput=journal
 StandardError=inherit
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 4ab7a1c34..4389c08aa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -62,7 +62,7 @@ services:
     build: .
     networks:
       - main
-    command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,imports
+    command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,imports,broadcast
     volumes:
       - .:/app
       - static_volume:/app/static
diff --git a/requirements.txt b/requirements.txt
index ab45e08a4..b63c1f30c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,12 +2,13 @@ aiohttp==3.8.3
 bleach==5.0.1
 celery==5.2.7
 colorthief==0.2.1
-Django==3.2.17
+Django==3.2.18
 django-celery-beat==2.4.0
 django-compressor==4.3.1
 django-imagekit==4.1.0
 django-model-utils==4.3.1
 django-sass-processor==1.2.2
+django-csp==3.7
 environs==9.5.0
 flower==1.2.0
 libsass==0.22.0