diff --git a/app/bootstrap/init.php b/app/bootstrap/init.php
index dbe0414..643a0e3 100644
--- a/app/bootstrap/init.php
+++ b/app/bootstrap/init.php
@@ -57,7 +57,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
 
 // 5. Security Headers
 header("X-Content-Type-Options: nosniff");
-header("X-Frame-Options: DENY");
+header("X-Frame-Options: SAMEORIGIN");
 header("X-XSS-Protection: 1; mode=block");
 header("Referrer-Policy: strict-origin-when-cross-origin");
 header("Strict-Transport-Security: max-age=31536000; includeSubDomains"); // I1 Fix: HSTS
diff --git a/public/shell.php b/public/shell.php
index 5d8f75d..3dabe0c 100644
--- a/public/shell.php
+++ b/public/shell.php
@@ -397,7 +397,7 @@
                 <!-- Left: Document Preview -->
                 <div class="flex-1 bg-gray-950 rounded-3xl overflow-hidden border border-gray-800 relative">
                     <template x-if="currentInvoice?.file_url">
-                        <iframe :src="currentInvoice.file_url" class="w-full h-full border-0"></iframe>
+                        <iframe :src="currentInvoice.file_url + '&token=' + token()" class="w-full h-full border-0"></iframe>
                     </template>
                     <div x-show="!currentInvoice?.file_url" class="absolute inset-0 flex items-center justify-center text-gray-600">لا يوجد ملف مرفق</div>
                 </div>