diff --git a/apps/admin/index.html b/apps/admin/index.html
index 2993d09e..6872c3a8 100644
--- a/apps/admin/index.html
+++ b/apps/admin/index.html
@@ -9,7 +9,7 @@
   <title>Crewli Admin</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5173; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5173; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/apps/app/index.html b/apps/app/index.html
index 4defa60c..70752723 100644
--- a/apps/app/index.html
+++ b/apps/app/index.html
@@ -9,7 +9,7 @@
   <title>Crewli — Organizer</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5174; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5174; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/apps/portal/index.html b/apps/portal/index.html
index 21d1926d..4c9cf53d 100644
--- a/apps/portal/index.html
+++ b/apps/portal/index.html
@@ -9,7 +9,7 @@
   <title>Crewli — Portal</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5175; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5175; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/deploy/nginx/csp-portal.conf b/deploy/nginx/csp-portal.conf
index 241c04dc..256eac5c 100644
--- a/deploy/nginx/csp-portal.conf
+++ b/deploy/nginx/csp-portal.conf
@@ -1,4 +1,4 @@
 # CSP for portal.crewli.app
 # Same policy as SPA but with stricter connect-src since portal
 # should only talk to the API.
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
diff --git a/deploy/nginx/csp-spa.conf b/deploy/nginx/csp-spa.conf
index 22470873..f8a0b515 100644
--- a/deploy/nginx/csp-spa.conf
+++ b/deploy/nginx/csp-spa.conf
@@ -9,7 +9,7 @@
 # of clean logs.
 
 # Report-only mode (start with this):
-# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
 
 # Enforce mode (switch to this after testing):
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;