diff --git a/hosts/muho/configuration.nix b/hosts/muho/configuration.nix
index 773a9d7..f8b8407 100644
--- a/hosts/muho/configuration.nix
+++ b/hosts/muho/configuration.nix
@@ -40,6 +40,7 @@ in {
   mods.server.vault.enable = true;
   mods.server.git.enable = true;
   mods.server.cal.enable = true;
+  mods.server.chat.enable = true;
 
   mods.tailscale.enable = true;
   mods.wireguard.id = 3;
diff --git a/modules/nixos/server/chat.nix b/modules/nixos/server/chat.nix
index 4f34cf3..ba8a377 100644
--- a/modules/nixos/server/chat.nix
+++ b/modules/nixos/server/chat.nix
@@ -21,6 +21,16 @@ in with lib; {
 
     services.open-webui = {
       enable = true;
+      host = "0.0.0.0";
+
+      environment = {
+        ANONYMIZED_TELEMETRY = "False";
+        DO_NOT_TRACK = "True";
+        SCARF_NO_ANALYTICS = "True";
+        OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
+        # Disable authentication
+        WEBUI_AUTH = "False";
+      };
 
       inherit port;
     };
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index d5394db..54faea0 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -53,16 +53,16 @@ in with lib; {
         # add_header Strict-Transport-Security $hsts_header;
 
         # Enable CSP for your services.
-        add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+        # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
         # Minimize information leaked to other domains
-        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        # add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
         # Disable embedding as a frame
         add_header X-Frame-Options DENY;
 
         # Prevent injection of code in other mime types (XSS Attacks)
-        add_header X-Content-Type-Options nosniff;
+        # add_header X-Content-Type-Options nosniff;
 
         # This might create errors
         # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
@@ -72,6 +72,14 @@ in with lib; {
 
         # This is necessary to pass the correct IP to be hashed
         real_ip_header X-Real-IP;
+
+        # security
+        add_header X-XSS-Protection          "1; mode=block" always;
+        add_header X-Content-Type-Options    "nosniff" always;
+        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+        add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+        add_header Permissions-Policy        "interest-cohort=()" always;
+        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
       '';
 
       virtualHosts = let