diff --git a/firebase.json b/firebase.json
index 6a99e44e..dc6d4033 100644
--- a/firebase.json
+++ b/firebase.json
@@ -10,6 +10,17 @@
       "**/.*",
       "**/node_modules/**"
     ],
+    "headers": [
+      {
+        "source": "**",
+        "headers": [
+          {
+            "key": "Content-Security-Policy",
+            "value": "default-src 'self'; script-src 'self' https://apis.google.com; connect-src 'self' https://*.googleapis.com https://*.firebaseio.com wss://*.firebaseio.com https://identitytoolkit.googleapis.com; frame-src https://accounts.google.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;"
+          }
+        ]
+      }
+    ],
     "rewrites": [
       {
         "source": "**",
diff --git a/packages/apigateway/internal/server/middleware.go b/packages/apigateway/internal/server/middleware.go
index 15778ef7..8d5c871b 100644
--- a/packages/apigateway/internal/server/middleware.go
+++ b/packages/apigateway/internal/server/middleware.go
@@ -18,8 +18,11 @@ func CORSMiddleware(corsHandler *cors.Handler) func(http.Handler) http.Handler {
 				return
 			}
 
-			// Set CORS headers for all requests
-			corsHandler.SetHeaders(w, r)
+			// Set CORS headers - reject if origin not allowed
+			if !corsHandler.SetHeaders(w, r) {
+				http.Error(w, "Origin not allowed", http.StatusForbidden)
+				return
+			}
 
 			// Continue to next handler
 			next.ServeHTTP(w, r)
diff --git a/packages/web/src/components/dashboard/MultiSportComparisonChart.tsx b/packages/web/src/components/dashboard/MultiSportComparisonChart.tsx
index dfa85bab..563ae699 100644
--- a/packages/web/src/components/dashboard/MultiSportComparisonChart.tsx
+++ b/packages/web/src/components/dashboard/MultiSportComparisonChart.tsx
@@ -1,6 +1,7 @@
 import { Link } from "react-router-dom";
 import { LineChart, Line, ResponsiveContainer, XAxis } from "recharts";
 import { parseLocalDateStrict, formatDisplayDate } from "../../utils/dateUtils";
+import { SLATE } from "../../constants/uiColors";
 import TimeRangeSelector from "./TimeRangeSelector";
 import RecentActivitiesList from "./RecentActivitiesList";
 import { SparklineSkeleton, ActivityRowSkeleton } from "../Skeleton";
@@ -85,7 +86,7 @@ function SparklineRow({
                   dataKey="date"
                   axisLine={false}
                   tickLine={false}
-                  tick={{ fontSize: 9, fill: "#999" }}
+                  tick={{ fontSize: 9, fill: SLATE.LIGHT }}
                   tickFormatter={formatAxisDate}
                   interval="preserveStartEnd"
                   minTickGap={50}
diff --git a/terraform/modules/desirelines/cloud_run.tf b/terraform/modules/desirelines/cloud_run.tf
index 494a7937..3e1a7e6a 100644
--- a/terraform/modules/desirelines/cloud_run.tf
+++ b/terraform/modules/desirelines/cloud_run.tf
@@ -86,11 +86,11 @@ resource "google_cloud_run_v2_service" "dispatcher" {
         name = lower(replace(volumes.key, "_", "-"))
         secret {
           secret       = volumes.value
-          default_mode = 292 # 0444
+          default_mode = 256 # 0400 owner-read-only
           items {
             version = "latest"
             path    = "value"
-            mode    = 292
+            mode    = 256 # 0400
           }
         }
       }
@@ -185,11 +185,11 @@ resource "google_cloud_run_v2_service" "api_gateway" {
       name = "infisical-postgres-conn-apigateway"
       secret {
         secret       = google_secret_manager_secret.postgres_conn_apigateway.secret_id
-        default_mode = 292 # 0444 in octal (read-only)
+        default_mode = 256 # 0400 owner-read-only
         items {
           version = "latest"
           path    = "value"
-          mode    = 292 # 0444
+          mode    = 256 # 0400
         }
       }
     }
@@ -295,11 +295,11 @@ resource "google_cloud_run_v2_service" "bq_inserter" {
         name = lower(replace(volumes.key, "_", "-"))
         secret {
           secret       = volumes.value
-          default_mode = 292
+          default_mode = 256 # 0400 owner-read-only
           items {
             version = "latest"
             path    = "value"
-            mode    = 292
+            mode    = 256 # 0400
           }
         }
       }
@@ -393,11 +393,11 @@ resource "google_cloud_run_v2_service" "postgres_writer" {
         name = lower(replace(volumes.key, "_", "-"))
         secret {
           secret       = volumes.value
-          default_mode = 292
+          default_mode = 256 # 0400 owner-read-only
           items {
             version = "latest"
             path    = "value"
-            mode    = 292
+            mode    = 256 # 0400
           }
         }
       }
@@ -407,11 +407,11 @@ resource "google_cloud_run_v2_service" "postgres_writer" {
       name = "infisical-postgres-conn-writer"
       secret {
         secret       = google_secret_manager_secret.postgres_conn_writer.secret_id
-        default_mode = 292 # 0444 in octal (read-only)
+        default_mode = 256 # 0400 owner-read-only
         items {
           version = "latest"
           path    = "value"
-          mode    = 292 # 0444
+          mode    = 256 # 0400
         }
       }
     }