diff --git a/app/main.py b/app/main.py
index 0f43728..612e24b 100644
--- a/app/main.py
+++ b/app/main.py
@@ -46,11 +46,13 @@ if _COMBINED_CERT.exists():
         pass
 
 # Corporate proxy — needed when Kiro spawns the process (no .zshrc sourced)
-_PROXY = "http://aproxy.corproot.net:8080"
-_NO_PROXY = "corproot.net,sharedtcs.net,127.0.0.1,localhost,bix.swisscom.com,swisscom.com"
-_os.environ.setdefault("HTTP_PROXY", _PROXY)
-_os.environ.setdefault("HTTPS_PROXY", _PROXY)
-_os.environ.setdefault("NO_PROXY", _NO_PROXY)
+# Only enable this if explicitly requested via environment variable.
+if _os.environ.get("USE_CORP_PROXY", "0") == "1":
+    _PROXY = "http://aproxy.corproot.net:8080"
+    _NO_PROXY = "corproot.net,sharedtcs.net,127.0.0.1,localhost,bix.swisscom.com,swisscom.com"
+    _os.environ.setdefault("HTTP_PROXY", _PROXY)
+    _os.environ.setdefault("HTTPS_PROXY", _PROXY)
+    _os.environ.setdefault("NO_PROXY", _NO_PROXY)
 
 import logging
 import sys
diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index ac3d810..77a478c 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -18,7 +18,8 @@ server {
     # Redirect all HTTP to HTTPS (uncomment after certbot setup)
     # return 301 https://$host$request_uri;
 
-    location / {
+    # Map API requests to the Python backend
+    location /api/ {
         proxy_pass http://127.0.0.1:8998;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -27,4 +28,11 @@ server {
         proxy_read_timeout 120s;
         proxy_connect_timeout 10s;
     }
+
+    # Serve the compiled Node.js frontend directly
+    location / {
+        root /opt/signalplatform/frontend/dist;
+        index index.html;
+        try_files $uri $uri/ /index.html;
+    }
 }