diff --git a/console-ui/next.config.ts b/console-ui/next.config.ts
index 3216fc2e..bdb7a6fa 100644
--- a/console-ui/next.config.ts
+++ b/console-ui/next.config.ts
@@ -4,16 +4,22 @@ import type { NextConfig } from "next";
 // - 'unsafe-inline' for style-src: required by Next.js for injected styles.
 // - 'unsafe-inline' + 'unsafe-eval' for script-src: required by Privy SDK
 //   and Next.js dev mode. Tighten to nonce-based CSP when feasible.
-// - connect-src: coordinator API, Privy auth, Google Analytics, Stripe.
-// - frame-src: Privy auth iframes, Stripe Checkout iframes.
+// - script-src: GA/GTM, Stripe.js, Cloudflare Turnstile (Privy captcha).
+// - connect-src: coordinator API, Privy auth + RPC, WalletConnect/WalletLink
+//   relays & explorer, Google Analytics, Stripe.
+// - frame-src / child-src: Privy auth iframe, WalletConnect verify iframes,
+//   Cloudflare Turnstile, Stripe Checkout.
+// - worker-src: app workers (Privy/wagmi may spawn blob: workers).
 const cspDirectives = [
   "default-src 'self'",
-  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com https://challenges.cloudflare.com",
   "style-src 'self' 'unsafe-inline'",
   "img-src 'self' data: blob: https:",
   "font-src 'self' data:",
-  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://www.google-analytics.com https://api.stripe.com",
-  "frame-src https://auth.privy.io https://js.stripe.com",
+  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://*.rpc.privy.systems https://www.google-analytics.com https://api.stripe.com https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org wss://www.walletlink.org",
+  "frame-src 'self' https://auth.privy.io https://js.stripe.com https://challenges.cloudflare.com https://verify.walletconnect.com https://verify.walletconnect.org",
+  "child-src 'self' https://auth.privy.io https://verify.walletconnect.com https://verify.walletconnect.org",
+  "worker-src 'self' blob:",
   "frame-ancestors 'none'",
   "base-uri 'self'",
   "form-action 'self'",