diff --git a/app/main.py b/app/main.py
index 16a5b7e..89927d6 100644
--- a/app/main.py
+++ b/app/main.py
@@ -31,16 +31,16 @@ app.add_middleware(
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
     async def dispatch(self, request, call_next):
         response = await call_next(request)
-        response.headers["X-Frame-Options"] = "SAMEORIGIN"
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        # Permissive CSP: allow same-origin, CDN scripts, inline styles, images from anywhere
         response.headers["Content-Security-Policy"] = (
-            "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
-            "style-src 'self' 'unsafe-inline'; "
-            "img-src 'self' data: blob:; "
-            "font-src 'self'; "
-            "connect-src 'self';"
+            "default-src * 'self' data: blob: 'unsafe-inline' 'unsafe-eval'; "
+            "script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
+            "style-src * 'self' 'unsafe-inline'; "
+            "img-src * 'self' data: blob:; "
+            "font-src * 'self' data:; "
+            "connect-src * 'self';"
         )
         return response