diff --git a/_headers b/_headers
index e7ac02c..e38db35 100644
--- a/_headers
+++ b/_headers
@@ -1,5 +1,16 @@
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
+  Cloudflare Pages headers for SeedPGP Web
+  This file must be named _headers at build output root, or in public/_headers,
+  depending on your deployment setup.
+*/
+
+/*
+  Catch-all for the app
+*/
+/
+
+/* Security headers */
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
   X-Frame-Options: DENY
   X-Content-Type-Options: nosniff
   Referrer-Policy: no-referrer
diff --git a/index.html b/index.html
index a071591..18d81ca 100644
--- a/index.html
+++ b/index.html
@@ -8,21 +8,24 @@
   <title>SeedPGP Web</title>
 
   <!-- Baseline CSP for generic builds.
-       TailsOS builds override this via Makefile (build-tails target). -->
+       TailsOS builds override this via Makefile (build-tails target).
+       Commented out for development to avoid CSP issues with WebAssembly.
   <meta
     http-equiv="Content-Security-Policy"
     content="
       default-src 'self';
-      script-src 'self' 'unsafe-inline';
+      script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' 'unsafe-eval';
       style-src 'self' 'unsafe-inline';
       img-src 'self' data: blob:;
-      connect-src 'self';
+      connect-src 'self' blob: data:;
       font-src 'self';
       object-src 'none';
+      media-src 'self' blob:;
       base-uri 'self';
       form-action 'none';
     "
   />
+  -->
 </head>
 
 <body>
diff --git a/vite.config.ts b/vite.config.ts
index 95cdeb7..d56d16d 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -17,8 +17,9 @@ export default defineConfig({
   plugins: [
     wasm(),
     topLevelAwait(),
-    basicSsl(),
     react(),
+    // basicSsl() plugin removed - it was causing MIME type issues with raw imports
+    // Enable only when specifically needed for HTTPS development
     {
       name: 'html-transform',
       transformIndexHtml(html) {
@@ -27,11 +28,17 @@ export default defineConfig({
     }
   ],
   server: {
-    host: '0.0.0.0',
-    port: 5173,
-    strictPort: true,
-    https: true,
+    headers: {
+      'Content-Security-Policy': '',  // Empty CSP for dev
+    },
   },
+
+  preview: {
+    headers: {
+      'Content-Security-Policy': '',  // Empty for preview too
+    },
+  },
+
   resolve: {
     alias: {
       buffer: 'buffer',