diff --git a/backend/src/app.js b/backend/src/app.js
index e9d9394..45daa4c 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -134,19 +134,30 @@ const frontendDistPath = path.join(__dirname, '../../frontend/dist');
 const fs = require('fs');
 if (fs.existsSync(frontendDistPath)) {
   // Serve static files with proper headers for SPA
+  // Use middleware to set headers with access to request object
+  app.use((req, res, next) => {
+    // Set CORS headers for assets if needed
+    const origin = req.headers.origin;
+    if (origin) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Access-Control-Allow-Credentials', 'true');
+    }
+    next();
+  });
+  
   app.use(express.static(frontendDistPath, {
     maxAge: '1y', // Cache static assets
     etag: true,
     lastModified: true,
-    setHeaders: (res, path) => {
+    setHeaders: (res, filePath) => {
       // Set proper content type for JS/CSS files
-      if (path.endsWith('.js')) {
-        res.setHeader('Content-Type', 'application/javascript');
-      } else if (path.endsWith('.css')) {
-        res.setHeader('Content-Type', 'text/css');
+      if (filePath.endsWith('.js')) {
+        res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+      } else if (filePath.endsWith('.css')) {
+        res.setHeader('Content-Type', 'text/css; charset=utf-8');
       }
-      // Allow CORS for assets (if needed)
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      // Security headers for assets
+      res.setHeader('X-Content-Type-Options', 'nosniff');
     },
   }));
 }