diff --git a/hosts/web-arm/sites/fueltide.io.nix b/hosts/web-arm/sites/fueltide.io.nix
index 138952b..eee28ae 100644
--- a/hosts/web-arm/sites/fueltide.io.nix
+++ b/hosts/web-arm/sites/fueltide.io.nix
@@ -21,6 +21,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -41,6 +46,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -61,6 +71,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;