diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1484670..f5f4d7f 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -53,6 +53,15 @@ jobs:
       - name: Build site
         run: npm run build
 
+      # Astro/Vite does not copy dotfiles from public/ into dist/, so .htaccess
+      # never reaches the deployed origin and Apache never sees the security
+      # headers it sets. Copy it explicitly. Fail if the source is missing
+      # rather than silently shipping a header-less site.
+      - name: Copy .htaccess into dist
+        run: |
+          test -f public/.htaccess
+          cp public/.htaccess dist/.htaccess
+
       - name: Guard — no TODO markers may ship in built HTML
         run: |
           if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then