diff --git a/docker/showerloop/Caddyfile.default.template b/docker/showerloop/Caddyfile.default.template
index 7ff1258..570c4a1 100644
--- a/docker/showerloop/Caddyfile.default.template
+++ b/docker/showerloop/Caddyfile.default.template
@@ -13,29 +13,12 @@
     # Enable compression for text-based resources
     encode gzip zstd
 
-    # MIME type overrides for HLS streaming - allow multiple formats
-    @m3u8Files {
-        path *.m3u8
-    }
-    @tsFiles {
-        path *.ts
-    }
-    # Support multiple MIME types for HLS
-    header @m3u8Files {
-        Content-Type "application/x-mpegURL, application/vnd.apple.mpegurl"
-        Access-Control-Allow-Origin "*"
-    }
-    header @tsFiles {
-        Content-Type "video/MP2T"
-        Access-Control-Allow-Origin "*"
-    }
-
-    # Security headers
+    # Allow all file types - disable mime type checking
     header {
-        # Cross-Origin headers
-        Cross-Origin-Embedder-Policy "require-corp"
-        Cross-Origin-Opener-Policy "same-origin"
-        Cross-Origin-Resource-Policy "same-origin"
+        # Cross-Origin headers - allow everything
+        Access-Control-Allow-Origin "*"
+        Access-Control-Allow-Methods "GET, OPTIONS, POST"
+        Access-Control-Allow-Headers "*"
         
         # Permissions Policy
         Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
@@ -46,8 +29,8 @@
         # HSTS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
         
-        # Content Type Options
-        X-Content-Type-Options "nosniff"
+        # Content Type Options - disable for more permissive handling
+        # X-Content-Type-Options "nosniff"
         
         # XSS Protection
         X-XSS-Protection "1; mode=block"
@@ -55,13 +38,29 @@
         # Frame Options (prevents clickjacking)
         X-Frame-Options "SAMEORIGIN"
         
-        # Update CSP to allow media content, scripts, and blob URLs with hashes
-        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' https: data: blob:; media-src 'self' blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; worker-src 'self' blob:"
+        # Permissive CSP that allows everything
+        Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
         
         # Remove Server header
         -Server
     }
 
+    # HLS specific handling - explicit MIME types for all m3u8 and ts files
+    @m3u8Files {
+        path *.m3u8
+    }
+    @tsFiles {
+        path *.ts
+    }
+    header @m3u8Files {
+        Content-Type "application/x-mpegURL"
+        Access-Control-Allow-Origin "*"
+    }
+    header @tsFiles {
+        Content-Type "video/MP2T"
+        Access-Control-Allow-Origin "*"
+    }
+
     # Cache control for static assets - images, fonts, etc.
     @staticAssets {
         path *.jpg *.jpeg *.png *.webp *.avif *.gif *.ico *.svg *.woff *.woff2 *.ttf *.eot
@@ -84,14 +83,6 @@
     }
     header @htmlFiles Cache-Control "public, max-age=86400, must-revalidate"
 
-    # HLS file handling
-    @hlsFiles {
-        path *.m3u8 *.ts
-        method GET HEAD
-    }
-    header @hlsFiles Cache-Control "public, max-age=300"
-    header @hlsFiles Access-Control-Allow-Origin "*"
-
     # Static file server
     file_server {
         root /srv # Root directory for serving static files