diff --git a/apps/blog/next.config.js b/apps/blog/next.config.js
index e3ebbfac40ed4a22d597061563ef6fcaa5f86a30..c246b738dc9a6432889b93795b1d7ac66b942ec9 100644
--- a/apps/blog/next.config.js
+++ b/apps/blog/next.config.js
@@ -58,8 +58,9 @@ const cspReportOnly = [
   // Only nodes running proper haf_api_node software are allowed
   "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network https://images.hive.blog",
   // Embedded content: whitelist of allowed iframe sources
-  // Based on StaticConfig.ts iframe whitelist
-  "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://3speak.online https://3speak.co https://emb.d.tube https://odysee.com https://openhive.chat",
+  // Note: 3speak.online/co removed (compromised/spam), code normalizes to 3speak.tv
+  // Note: emb.d.tube removed (subdomain down, no renderer support)
+  "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://odysee.com https://openhive.chat",
   // Web Workers: self + blob (for HBAuth and service worker)
   "worker-src 'self' blob:",
   // Prevent site from being embedded in iframes (clickjacking protection)
diff --git a/apps/wallet/next.config.js b/apps/wallet/next.config.js
index c1434c49f45334b20bd2fbc556676c135331c11d..a179bf951169be07aaa81a981b214de95425b7ee 100644
--- a/apps/wallet/next.config.js
+++ b/apps/wallet/next.config.js
@@ -55,7 +55,8 @@ const cspReportOnly = [
   "font-src 'self' data:",
   // API connections: whitelist of trusted Hive API nodes and services
   // Only nodes running proper haf_api_node software are allowed
-  "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network https://images.hive.blog",
+  // Note: images.hive.blog not needed - wallet only uses it server-side (API routes)
+  "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network",
   // Embedded content: wallet has fewer embeds than blog
   "frame-src 'self'",
   // Web Workers: self + blob (for HBAuth and service worker)