diff --git a/src/server.js b/src/server.js
index f012e7d..9aabd0f 100644
--- a/src/server.js
+++ b/src/server.js
@@ -87,10 +87,19 @@ app.use(express.json());
 
 // Security headers
 app.use((req, res, next) => {
+  // Public endpoints that should work over HTTP
+  const publicEndpoints = ['/health', '/api', '/docs/api'];
+  const isPublic = publicEndpoints.includes(req.path) || req.path.startsWith('/public/download/');
+
   res.setHeader('X-Content-Type-Options', 'nosniff');
   res.setHeader('X-Frame-Options', 'DENY');
   res.setHeader('X-XSS-Protection', '1; mode=block');
-  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+
+  // Only enforce HTTPS for protected endpoints
+  if (!isPublic) {
+    res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  }
+
   res.setHeader(
     'Content-Security-Policy',
     "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'"