diff --git a/charts/funkwhale/Chart.yaml b/charts/funkwhale/Chart.yaml
index 9a6ad78..a6e9534 100644
--- a/charts/funkwhale/Chart.yaml
+++ b/charts/funkwhale/Chart.yaml
@@ -4,7 +4,7 @@ appVersion: "1.2.9"
 description: A social platform to enjoy and share music
 icon: https://funkwhale.audio/favicon.png
 name: funkwhale
-version: 0.6.1
+version: 0.7.0
 
 dependencies:
 - name: redis
diff --git a/charts/funkwhale/templates/configmap-front.yaml b/charts/funkwhale/templates/configmap-front.yaml
index c0d1d04..d84afbd 100644
--- a/charts/funkwhale/templates/configmap-front.yaml
+++ b/charts/funkwhale/templates/configmap-front.yaml
@@ -15,22 +15,25 @@ data:
       server localhost:5000;
     }
 
+    # Required for websocket support.
     map $http_upgrade $connection_upgrade {
       default upgrade;
       ''      close;
     }
 
     server {
-      listen 80;
+      listen      80;
       listen [::]:80;
+      charset     utf-8;
 
-      server_name ${FUNKWHALE_HOSTNAME};
+      server_name _;
 
-      root /frontend;
-
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+      add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
       add_header Referrer-Policy "strict-origin-when-cross-origin";
       add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Service-Worker-Allowed "/";
+
+      root /frontend;
 
       # compression settings
       gzip on;
@@ -67,25 +70,16 @@ data:
       }
 
       location /front/ {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
-          add_header Referrer-Policy "strict-origin-when-cross-origin";
-          add_header Service-Worker-Allowed "/";
-          add_header X-Frame-Options "ALLOW";
           alias /frontend/;
-          expires 30d;
-          add_header Pragma public;
-          add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+          expires 1d;
       }
 
       location /front/embed.html {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+          add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
           add_header Referrer-Policy "strict-origin-when-cross-origin";
 
-          add_header X-Frame-Options "" always;
           alias /frontend/embed.html;
-          expires 30d;
-          add_header Pragma public;
-          add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+          expires 1d;
       }
 
       location /federation/ {
@@ -106,24 +100,23 @@ data:
 
       location /media/ {
           alias ${MEDIA_ROOT}/;
+          add_header Access-Control-Allow-Origin '*';
       }
 
-    {{- if .Values.s3.enabled }}
-      location ~ /_protected/media/(.+) {
-          internal;
-          # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-          proxy_set_header Authorization "";
-          proxy_pass $1;
-      }
-    {{- else }}
       # this is an internal location that is used to serve
       # audio files once correct permission / authentication
       # has been checked on API side
-      location /_protected/media {
+      location ~ /_protected/media/(.+) {
           internal;
-          alias   ${MEDIA_ROOT};
-      }
+    {{- if .Values.s3.enabled }}
+          # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+          proxy_set_header Authorization "";
+          proxy_pass $1;
+    {{- else }}
+          alias   ${MEDIA_ROOT}/$1;
     {{- end }}
+          add_header Access-Control-Allow-Origin '*';
+      }
 
       location /_protected/music {
           # this is an internal location that is used to serve
@@ -131,7 +124,8 @@ data:
           # has been checked on API side
           # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
           internal;
-          alias   ${MUSIC_DIRECTORY_SERVE_PATH};
+          alias   ${MUSIC_DIRECTORY_SERVE_PATH}/;
+          add_header Access-Control-Allow-Origin '*';
       }
 
       location /staticfiles/ {
diff --git a/charts/funkwhale/templates/deployment.yaml b/charts/funkwhale/templates/deployment.yaml
index 0816f18..3159d96 100644
--- a/charts/funkwhale/templates/deployment.yaml
+++ b/charts/funkwhale/templates/deployment.yaml
@@ -23,6 +23,7 @@ spec:
     metadata:
       annotations:
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/frontend: {{ include (print .Template.BasePath "/configmap-front.yaml") . | sha256sum }}
         checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
       labels:
         app.kubernetes.io/name: {{ include "funkwhale.name" . }}