diff --git a/backend/app/Core/Response.php b/backend/app/Core/Response.php
index af6c41d..73a11e6 100644
--- a/backend/app/Core/Response.php
+++ b/backend/app/Core/Response.php
@@ -82,7 +82,7 @@ class Response
         $this->json($response, $code);
     }
 
-    private function sendHeaders(): void
+    public function sendHeaders(): void
     {
         if (headers_sent()) {
             return;
diff --git a/backend/app/Middlewares/SecurityMiddleware.php b/backend/app/Middlewares/SecurityMiddleware.php
index 978daa6..e2728c2 100644
--- a/backend/app/Middlewares/SecurityMiddleware.php
+++ b/backend/app/Middlewares/SecurityMiddleware.php
@@ -18,7 +18,7 @@ class SecurityMiddleware
         $response->setHeader('X-XSS-Protection', '1; mode=block'); // Prevent Cross-Site Scripting (XSS)
         $response->setHeader('X-Content-Type-Options', 'nosniff'); // Prevent MIME-sniffing
         $response->setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload'); // HSTS
-        $response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self'; object-src 'none';"); // CSP
+        $response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; object-src 'none';"); // CSP
 
         // 2. Input Sanitization to prevent XSS (Recursive)
         $body = $request->getBody();
diff --git a/backend/public/index.html b/backend/public/index.html
index 636ae3e..0e8df37 100644
--- a/backend/public/index.html
+++ b/backend/public/index.html
@@ -10,7 +10,7 @@
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&family=Outfit:wght@400;500;600;700;800&display=swap" rel="stylesheet">
     <!-- QR Code Generator Library -->
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js" integrity="sha512-CNgIRecGo7nOMxObXtLZHyYy34UNrJDzFGaPZ55S56sxM57SL7gOhv4/dIncsaYRiLJHdU8mHgGybkx9thStTA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js" integrity="sha512-CNgIRecGo7nphbeZ04Sc13ka07paqdeTu0WR1IM4kNcpmBAUSHSQX0FslNhTDadL4O5SAGapGt4FodqL8My0mA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
     <!-- AlpineJS CDN -->
     <script defer src="https://unpkg.com/alpinejs@3.x.x/dist/cdn.min.js"></script>
 
@@ -725,6 +725,19 @@
                                                 <div id="qrcode-canvas" x-init="$nextTick(() => renderQr())"></div>
                                             </div>
                                             
+                                            <!-- Diagnostics -->
+                                            <div style="font-size: 0.75rem; margin: 0.5rem 0; display: flex; flex-direction: column; gap: 0.25rem;">
+                                                <template x-if="!whatsappSession.qr_code">
+                                                    <span style="color: var(--danger-accent);">⚠️ Decryption issue: QR code string is empty.</span>
+                                                </template>
+                                                <template x-if="whatsappSession.qr_code">
+                                                    <span style="color: var(--success-accent);">✓ Encrypted QR data retrieved successfully.</span>
+                                                </template>
+                                                <template x-if="typeof window.QRCode === 'undefined'">
+                                                    <span style="color: var(--danger-accent);">⚠️ QRCode library failed to load (Integrity/CSP issue).</span>
+                                                </template>
+                                            </div>
+                                            
                                             <div style="font-size: 0.8rem; display: flex; align-items: center; justify-content: center; gap: 0.5rem;" class="text-muted">
                                                 <div class="spinner" style="width: 14px; height: 14px; border-width: 2px;"></div>
                                                 <span>Waiting for connection handshake...</span>
@@ -1056,18 +1069,29 @@
 
                 renderQr() {
                     const canvasDiv = document.getElementById('qrcode-canvas');
-                    if (!canvasDiv || !this.whatsappSession || !this.whatsappSession.qr_code) return;
+                    console.log('renderQr() invoked. canvasDiv:', canvasDiv, 'Session data:', this.whatsappSession);
+                    if (!canvasDiv || !this.whatsappSession || !this.whatsappSession.qr_code) {
+                        return;
+                    }
                     
-                    // Clear previous QR instance
-                    canvasDiv.innerHTML = '';
-                    new QRCode(canvasDiv, {
-                        text: this.whatsappSession.qr_code,
-                        width: 200,
-                        height: 200,
-                        colorDark: "#0b0d19",
-                        colorLight: "#ffffff",
-                        correctLevel: QRCode.CorrectLevel.H
-                    });
+                    try {
+                        if (typeof window.QRCode === 'undefined') {
+                            throw new Error('QRCode class is not defined. Script resource failed to load.');
+                        }
+                        // Clear previous QR instance
+                        canvasDiv.innerHTML = '';
+                        new QRCode(canvasDiv, {
+                            text: this.whatsappSession.qr_code,
+                            width: 200,
+                            height: 200,
+                            colorDark: "#0b0d19",
+                            colorLight: "#ffffff",
+                            correctLevel: QRCode.CorrectLevel.H
+                        });
+                        console.log('QR Code generated successfully.');
+                    } catch (e) {
+                        console.error('Error generating QR code:', e);
+                    }
                 },
 
                 startPolling() {
diff --git a/backend/public/index.php b/backend/public/index.php
index 2adb344..1a4d2dc 100644
--- a/backend/public/index.php
+++ b/backend/public/index.php
@@ -22,7 +22,8 @@ $router->use(\App\Middlewares\SecurityMiddleware::class);
 // 4. Define API Routes
 // Serve index.html dashboard on root path
 $router->get('/', function ($request, $response) {
-    header('Content-Type: text/html; charset=utf-8');
+    $response->setHeader('Content-Type', 'text/html; charset=utf-8');
+    $response->sendHeaders();
     readfile(__DIR__ . '/index.html');
     exit;
 });
