diff --git a/src/web/app.py b/src/web/app.py
index df60fa7..966ac9d 100644
--- a/src/web/app.py
+++ b/src/web/app.py
@@ -68,7 +68,7 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
     # frame-ancestors 'none' replaces X-Frame-Options for modern browsers.
     _CSP = (
         "default-src 'self'; "
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; "
         "style-src 'self' 'unsafe-inline'; "
         "img-src 'self' data: blob: https://*.supabase.co https://*.linkedin.com https://media.licdn.com; "
         "connect-src 'self' https://*.supabase.co; "