diff --git a/next.config.ts b/next.config.ts
index a22d142..03e59f8 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -14,12 +14,18 @@ import type { NextConfig } from "next";
  *     other origins via the Referer header.
  *   - X-Content-Type-Options: prevents MIME sniffing.
  */
+// Next.js React dev runtime uses dynamic-script execution for fast-refresh,
+// error overlays, and source-map reconstruction. Permit that ONLY in dev so
+// HMR works; production CSP stays strict (no dynamic execution allowed).
+const isDev = process.env.NODE_ENV !== "production";
+const devOnlyDynamicScript = isDev ? " 'unsafe-eval'" : "";
+
 const securityHeaders = [
   {
     key: "Content-Security-Policy",
     value: [
       "default-src 'self'",
-      "script-src 'self' 'unsafe-inline'",
+      `script-src 'self' 'unsafe-inline'${devOnlyDynamicScript}`,
       "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
       "font-src 'self' https://fonts.gstatic.com data:",
       "img-src 'self' data:",