diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 09213f6..6f5ae42 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -61,13 +61,14 @@ async function bootstrap() {
   // ── Security Headers (Helmet) ──
   app.use(
     helmet({
+      // CSP relaxed for API — responses are consumed cross-origin by the web frontend
       contentSecurityPolicy: {
         directives: {
           defaultSrc: ["'self'"],
           scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
           styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
           imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
-          connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+          connectSrc: ["'self'", 'https://cdn.jsdelivr.net', 'https://api.goodgo.vn'],
           fontSrc: ["'self'", 'data:'],
           objectSrc: ["'none'"],
           frameSrc: ["'none'"],
@@ -75,9 +76,10 @@ async function bootstrap() {
           formAction: ["'self'"],
         },
       },
-      crossOriginEmbedderPolicy: true,
-      crossOriginOpenerPolicy: true,
-      crossOriginResourcePolicy: { policy: 'same-origin' },
+      // Must allow cross-origin for API consumed by platform.goodgo.vn
+      crossOriginEmbedderPolicy: false,
+      crossOriginOpenerPolicy: false,
+      crossOriginResourcePolicy: { policy: 'cross-origin' },
       frameguard: { action: 'deny' },
       hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
       referrerPolicy: { policy: 'strict-origin-when-cross-origin' },