diff --git a/appveyor.yml b/appveyor.yml
index 6008c5ee..fb936d1f 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -463,7 +463,6 @@ before_build:
     -DCIVETWEB_SSL_OPENSSL_API_1_0=NO
     -DCIVETWEB_SSL_OPENSSL_API_1_1=YES
     -DCIVETWEB_SSL_OPENSSL_API_3_0=NO
-
     "%source_path%"
   - powershell Push-AppveyorArtifact CMakeCache.txt
   - cd "%source_path%"
diff --git a/src/civetweb.c b/src/civetweb.c
index b45a264c..34b4f661 100644
--- a/src/civetweb.c
+++ b/src/civetweb.c
@@ -4179,6 +4179,8 @@ send_additional_header(struct mg_connection *conn)
 	}
 #endif
 
+	// Content-Security-Policy
+
 	if (header && header[0]) {
 		mg_response_header_add_lines(conn, header);
 	}
@@ -7724,21 +7726,25 @@ substitute_index_file(struct mg_connection *conn,
 		if ((root_prefix) && (fallback_root_prefix)) {
 			const size_t root_prefix_len = strlen(root_prefix);
 			if ((strncmp(path, root_prefix, root_prefix_len) == 0)) {
+				char scratch_path[UTF8_PATH_MAX]; /* separate storage, to avoid
+				                                  side effects if we fail */
+				size_t sub_path_len;
+
 				const size_t fallback_root_prefix_len =
 				    strlen(fallback_root_prefix);
 				const char *sub_path = path + root_prefix_len;
-				while (*sub_path == '/')
+				while (*sub_path == '/') {
 					sub_path++;
-				const size_t sub_path_len = strlen(sub_path);
+				}
+				sub_path_len = strlen(sub_path);
 
-				char scratch_path[UTF8_PATH_MAX]; /* separate storage, to avoid
-				                                     side effects if we fail */
 				if (((fallback_root_prefix_len + 1 + sub_path_len + 1)
 				     < sizeof(scratch_path))) {
 					/* The concatenations below are all safe because we
 					 * pre-verified string lengths above */
+					char *nul;
 					strcpy(scratch_path, fallback_root_prefix);
-					char *nul = strchr(scratch_path, '\0');
+					nul = strchr(scratch_path, '\0');
 					if ((nul > scratch_path) && (*(nul - 1) != '/')) {
 						*nul++ = '/';
 						*nul = '\0';