diff --git a/Caddyfile b/Caddyfile
index fd7261c..20b6ae9 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -8,6 +8,19 @@
root * /srv
encode zstd gzip
+ # Security headers (FO-SEC-03). CSP allows self + the two pinned CDNs, the
+ # CARTO basemap (styles/tiles/fonts) and the fleet APIs; SRI in index.html
+ # pins the CDN payloads themselves. frame-ancestors 'none' = no clickjacking.
+ # script-src keeps 'unsafe-inline' because the whole app is one inline
+ #
-
+
+
-
-
+
+