diff --git a/index.html b/index.html
index 85f53a8..68489f6 100644
--- a/index.html
+++ b/index.html
@@ -10,13 +10,16 @@
     <meta property="og:title" content="BTCPay Contribute" />
     <meta property="og:description" content="Find good first issues across all BTCPay Server projects, filtered by your skills." />
     <meta property="og:type" content="website" />
-    <meta property="og:url" content="https://contribute.btcpayserver.org" />
+    <meta property="og:url" content="https://pavle.org" />
 
     <!-- Twitter Card -->
     <meta name="twitter:card" content="summary" />
     <meta name="twitter:title" content="BTCPay Contribute" />
     <meta name="twitter:description" content="Find good first issues across all BTCPay Server projects." />
 
+    <!-- CSP — GitHub Pages ignores _headers, so enforce via meta tag -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com" />
+
     <!-- Favicon -->
     <meta name="theme-color" content="#51b13e" />
     <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
diff --git a/public/_headers b/public/_headers
index ecff642..7adb9b1 100644
--- a/public/_headers
+++ b/public/_headers
@@ -1,5 +1,9 @@
+# NOTE: GitHub Pages does not serve custom headers from this file.
+# These headers only take effect on hosts that support _headers
+# (Cloudflare Pages, Netlify). A CSP meta tag in index.html provides
+# baseline protection regardless of hosting platform.
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com; frame-ancestors 'none'
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com; frame-ancestors 'none'
   X-Frame-Options: DENY
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
diff --git a/public/android-chrome-192x192.png b/public/android-chrome-192x192.png
new file mode 100644
index 0000000..ba74859
Binary files /dev/null and b/public/android-chrome-192x192.png differ
diff --git a/public/android-chrome-512x512.png b/public/android-chrome-512x512.png
new file mode 100644
index 0000000..857edee
Binary files /dev/null and b/public/android-chrome-512x512.png differ