diff --git a/autobot-slm-backend/middleware/security_headers.py b/autobot-slm-backend/middleware/security_headers.py
index c1ccb436f..286c51642 100644
--- a/autobot-slm-backend/middleware/security_headers.py
+++ b/autobot-slm-backend/middleware/security_headers.py
@@ -51,6 +51,7 @@
     "/api/redoc",
     "/api/openapi.json",
     "/api/api-keys/scopes",  # public endpoint — no auth required
+    "/api/nodes/",  # agent heartbeats — no browser auth, endpoints have own guards
 )