diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index ab140947b..d38c93820 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -47,15 +47,8 @@ http {
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
-        # Content Security Policy (single quoted string required by nginx add_header)
-        # - 'unsafe-inline' in script-src: required for runtime-config.js injected at container start
-        # - 'unsafe-eval' in script-src: required by RJSF (React JSON Schema Form) which uses new Function()
-        # - 'unsafe-inline' in style-src: required by Ant Design CSS-in-JS
-        # - blob: in connect-src: required by PDF.js viewer for blob: URL document loading
-        # - cdn.jsdelivr.net: Monaco Editor loads from this CDN
-        # - unpkg.com: PDF.js worker
-        # - PostHog, GTM, reCAPTCHA, Stripe, Product Fruits: third-party services
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;
+        # CSP in report-only mode: logs violations to browser console without blocking requests.
+        add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://cdn.jsdelivr.net https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;
 
         # Disable TRACE and TRACK methods
         if ($request_method ~ ^(TRACE|TRACK)$) {