diff --git a/docker/resume/Caddyfile b/docker/resume/Caddyfile
index bf7e657..03f05fc 100644
--- a/docker/resume/Caddyfile
+++ b/docker/resume/Caddyfile
@@ -6,15 +6,15 @@
     # Security headers
     header {
         # HSTS
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
         
         # Basic security headers
-        X-Frame-Options "SAMEORIGIN"
+        X-Frame-Options "DENY"
         X-Content-Type-Options "nosniff"
         Referrer-Policy "strict-origin-when-cross-origin"
         
         # Permissions policy
-        Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()"
+        Permissions-Policy "geolocation=(), microphone=(), camera=()"
         
         # Cross-origin isolation headers
         Cross-Origin-Embedder-Policy "require-corp"
@@ -22,7 +22,7 @@
         Cross-Origin-Opener-Policy "same-origin"
         
         # Simplified CSP for static content
-        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; base-uri 'self'; form-action 'self'"
+        Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';"
     }
 
     # Handle 404s