diff --git a/src/main.py b/src/main.py
index e1c8f97..31e14aa 100644
--- a/src/main.py
+++ b/src/main.py
@@ -89,7 +89,8 @@ async def _security_headers(request: Request, call_next) -> Response:
     response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
     response.headers["Content-Security-Policy"] = (
         "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
-        " img-src 'self' data: blob: https://*.tile.openstreetmap.org"
+        " img-src 'self' data: blob: https://*.tile.openstreetmap.org;"
+        " connect-src 'self' https://*.tile.openstreetmap.org"
     )
     return response
 
diff --git a/src/static/sw.js b/src/static/sw.js
index 6a478bf..12ffc8b 100644
--- a/src/static/sw.js
+++ b/src/static/sw.js
@@ -17,8 +17,9 @@ self.addEventListener("activate", event => {
 });
 
 self.addEventListener("fetch", event => {
-  // Let API calls always go to the network
+  // Let API calls and map tiles always go to the network
   if (event.request.url.includes("/api/")) return;
+  if (event.request.url.includes("tile.openstreetmap.org")) return;
 
   // Navigation requests (page loads, QR code opens) must always hit the network
   // so query parameters like ?k=CODE are preserved for app.js