diff --git a/packages/api/src/middleware/security.ts b/packages/api/src/middleware/security.ts
index 378ef9e..0d5d5cb 100644
--- a/packages/api/src/middleware/security.ts
+++ b/packages/api/src/middleware/security.ts
@@ -4,8 +4,9 @@ import fp from "fastify-plugin";
 async function securityPlugin(app: FastifyInstance) {
   app.addHook("onSend", async (req, reply) => {
     const isEmbed = req.url.startsWith("/api/v1/embed/") || req.url.startsWith("/embed/");
+    const isAsset = req.url.startsWith("/assets/") || req.url.startsWith("/favicon") || req.url.startsWith("/icon-") || req.url.endsWith(".js") || req.url.endsWith(".css");
 
-    if (isEmbed) {
+    if (isEmbed || isAsset) {
       // embed routes need to be frameable by third-party sites
       reply.header("Content-Security-Policy", [
         "default-src 'self'",
diff --git a/packages/api/src/routes/admin/team.ts b/packages/api/src/routes/admin/team.ts
index 9d30fb9..2ceaca6 100644
--- a/packages/api/src/routes/admin/team.ts
+++ b/packages/api/src/routes/admin/team.ts
@@ -103,7 +103,9 @@ export default async function adminTeamRoutes(app: FastifyInstance) {
         },
       });
 
-      const inviteUrl = `${config.WEBAUTHN_ORIGIN}/admin/join/${token}`;
+      const protocol = config.WEBAUTHN_ORIGIN.startsWith("https") ? "https" : "http";
+      const prettyHost = config.WEBAUTHN_RP_ID || new URL(config.WEBAUTHN_ORIGIN).hostname;
+      const inviteUrl = `${protocol}://${prettyHost}/admin/join/${token}`;
       reply.status(201).send({ inviteUrl, token, recoveryPhrase, expiresAt });
     }
   );