diff --git a/GEMINI.md b/GEMINI.md
index 88489f2..bb2b3f4 100644
--- a/GEMINI.md
+++ b/GEMINI.md
@@ -130,9 +130,18 @@ bun run preview       # Preview production build
 
 ### Deployment Process
 
+This project is now deployed to Cloudflare Pages for enhanced security.
+
 1. **Private repo** (`seedpgp-web`): Source code, development
-2. **Public repo** (`seedpgp-web-app`): Built files for GitHub Pages
-3. **Deploy script** (`scripts/deploy.sh`): Builds + copies to dist/ + pushes to public repo
+2. **Cloudflare Pages**: Deploys from `seedpgp-web` repo directly.
+3. **GitHub Pages (Legacy)**: `seedpgp-web-app` public repo is retained for historical purposes, but no longer actively deployed to.
+
+### Cloudflare Pages Deployment
+
+1. Connect GitHub repo (`seedpgp-web`) to Cloudflare Pages.
+2. Build settings: `bun run build`, output directory: `dist/`.
+3. `public/_headers` file enforces Content Security Policy (CSP) and other security headers automatically.
+4. Benefits: Real CSP enforcement, not just a UI toggle.
 
 ### Git Workflow
 
diff --git a/public/_headers b/public/_headers
new file mode 100644
index 0000000..f97313c
--- /dev/null
+++ b/public/_headers
@@ -0,0 +1,6 @@
+/*
+  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; form-action 'none'; base-uri 'self';
+  X-Frame-Options: DENY
+  X-Content-Type-Options: nosniff
+  X-XSS-Protection: 1; mode=block
+  Referrer-Policy: strict-origin-when-cross-origin