diff --git a/.cspell.json b/.cspell.json
index 3ab8759ee..5a1578c80 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -39,7 +39,7 @@
       "nosocial", "bitget", "leather", "binance", "uniswap", "safepal", "bybit", "phantom", "ledger", "timeless-x", "safe", "zerion", "oneinch", "crypto-com", "imtoken", "kraken", "ronin", "robinhood", "exodus", "argent", "tokenpocket", "Contractaddress", 
       "executionreverted", "FATF", "VASP", "LLMSTXT", "Frontmatter", "CASP", "DKMS", "hydradx", "phala", "astar", "mangata", "polkadotjs", "Dogecoin", "Blockbook", "vuejs", "xsmall", "rgba", "mintlify", "filteredwallets",
       "tnum","minmax","toolkits", "autoplay", "Litoshi", "Litoshis", "encryptor's", "Everscale", "Bitcore", "satoshis", "Parachain", "Bitcore", "walletlist", "Userflow", "retryable", "USDS", "Arbitrum", "Wolfswap", "Halborn", "Pentest", "Spearbit", "valtio",
-      "reshare", "microstacks", "Prebuild", "APKT", "offchain", "Bitgpt", "Restaking", "Synthetix", "lamports", "mmkv", "Windscribe", "Dappkit"
+      "reshare", "microstacks", "Prebuild", "APKT", "offchain", "tabnabbing", "Bitgpt", "Restaking", "Synthetix", "lamports", "mmkv", "Windscribe", "Dappkit"
     ]
   }
   
diff --git a/advanced/security/content-security-policy.mdx b/advanced/security/content-security-policy.mdx
index 6abd99366..823c6cf8f 100644
--- a/advanced/security/content-security-policy.mdx
+++ b/advanced/security/content-security-policy.mdx
@@ -20,6 +20,7 @@ img-src * 'self' data: blob: https://walletconnect.org https://walletconnect.com
 font-src 'self' https://fonts.gstatic.com https://fonts.reown.com;
 connect-src 'self' https://rpc.walletconnect.com https://rpc.walletconnect.org https://relay.walletconnect.com https://relay.walletconnect.org wss://relay.walletconnect.com wss://relay.walletconnect.org https://pulse.walletconnect.com https://pulse.walletconnect.org https://api.web3modal.com https://api.web3modal.org https://keys.walletconnect.com https://keys.walletconnect.org https://notify.walletconnect.com https://notify.walletconnect.org https://echo.walletconnect.com https://echo.walletconnect.org https://push.walletconnect.com https://push.walletconnect.org wss://www.walletlink.org https://cca-lite.coinbase.com;
 frame-src 'self' https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.com https://secure.walletconnect.org;
+Cross-Origin-Opener-Policy: same-origin-allow-popups;
 ```
 
 <Note>
@@ -30,6 +31,12 @@ For a full of list of RPC sources used by `wagmi/viem`, please refer to [Viem's
 
 </Note>
 
+<Note>
+
+**Cross-Origin-Opener-Policy for Social Login Security**: The `Cross-Origin-Opener-Policy: same-origin-allow-popups` header is essential when using AppKit's social login features (Google, X, GitHub, Discord, Apple, Facebook, Farcaster). This header helps prevent tabnabbing attacks during OAuth flows by controlling how popup windows can interact with your application. Without this header, malicious sites could potentially hijack the authentication flow and redirect users to phishing pages.
+
+</Note>
+
 ## Testing and Deploying Your CSP
 
 ### Test Your CSP in a Staging Environment