diff --git a/nginx.conf b/nginx.conf
index 34bccc2..534acab 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -2,11 +2,30 @@ server {
     listen 80;
 
     server_name _;
+    server_tokens off;
 
     root /usr/share/nginx/html;
 
     index index.html;
 
+    # Baseline security hardening for a static SPA.
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+    add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://backend.beammp.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
+
+    location = /installer/BeamMP_Installer.msi {
+        default_type application/octet-stream;
+        add_header Content-Disposition 'attachment; filename="BeamMP_Installer.msi"' always;
+        add_header Cache-Control "public, max-age=3600" always;
+        try_files $uri =404;
+    }
+
+    location ^~ /installer/ {
+        try_files $uri =404;
+    }
+
     location / {
         # SPA fallback: serve index.html for non-file routes so Vue Router can render NotFound
         try_files $uri $uri/ /index.html;
@@ -14,8 +33,8 @@ server {
 
     location ~* \.msi$ {
         default_type application/octet-stream;
-        add_header Content-Disposition 'attachment';
-        add_header X-Content-Type-Options nosniff;
+        add_header Content-Disposition 'attachment' always;
+        add_header X-Content-Type-Options nosniff always;
         try_files $uri =404;
     }
 
diff --git a/src/views/Home.vue b/src/views/Home.vue
index 77b2598..9980bb8 100644
--- a/src/views/Home.vue
+++ b/src/views/Home.vue
@@ -24,7 +24,13 @@ const totalServers = ref('...')
 const isLoading = ref(true)
 const heroImageLoaded = ref(false)
 const heroImageSrc = ref(landingLq)
-const installerDownloadUrl = `${import.meta.env.BASE_URL}installer/BeamMP_Installer.msi`
+const installerDownloadUrl = computed(() => {
+  const base = import.meta.env.BASE_URL || '/'
+  if (base === './') {
+    return '/installer/BeamMP_Installer.msi'
+  }
+  return `${base.replace(/\/$/, '')}/installer/BeamMP_Installer.msi`
+})
 
 onMounted(async () => {
   try {