diff --git a/index.html b/index.html
index a9eb075a4ae..0edb0c06956 100644
--- a/index.html
+++ b/index.html
@@ -12,7 +12,11 @@
         "secured": "{{ .Secured }}"
       }
     </script>
-    <link rel="icon" href="/assets/favicon.svg" />
+    <link
+      rel="icon"
+      href="data:image/svg+xml,%3Csvg%20width%3D%22128%22%20height%3D%22128%22%20viewBox%3D%220%200%20128%20128%22%20fill%3D%22none%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Crect%20width%3D%22128%22%20height%3D%22128%22%20rx%3D%226%22%20fill%3D%22%23222222%22%2F%3E%0A%3Cpath%20d%3D%22M82.3248%2094.3863H123V104.093H67.8025V95.3506L106.164%2044.3736H68.3808V34.5382H121.072V42.9594L82.3248%2094.3863Z%22%20fill%3D%22%23FFDD57%22%2F%3E%0A%3Cpath%20d%3D%22M8%20107.107L17.5656%2014L43.8372%2016.7013C51.9339%2017.5338%2058.9091%2020.0604%2064.7629%2024.2812C70.6166%2028.5019%2074.8873%2034.0893%2077.5749%2041.0432C80.3052%2048.0016%2081.2514%2055.7674%2080.4137%2064.3407L79.8027%2070.2877C78.9005%2079.0698%2076.4053%2086.5894%2072.3173%2092.8468C68.2719%2099.1084%2062.914%20103.684%2056.2436%20106.574C49.6158%20109.468%2042.1213%20110.529%2033.7602%20109.755L8%20107.107ZM28.8005%2025.3655L21.3043%2098.3288L34.2164%2099.6565C43.6767%20100.629%2051.3299%2098.4435%2057.1758%2093.0993C63.0644%2087.7595%2066.5671%2079.6542%2067.684%2068.7832L68.2424%2063.3477C69.3286%2052.7752%2067.6788%2044.3123%2063.293%2037.9592C58.9542%2031.5678%2052.2295%2027.8607%2043.1188%2026.8377L28.8005%2025.3655Z%22%20fill%3D%22%23FFDD57%22%2F%3E%0A%3C%2Fsvg%3E%0A"
+      type="image/svg+xml"
+    />
     <script type="module" src="/assets/main.ts"></script>
   </head>
   <body>
diff --git a/vite.config.ts b/vite.config.ts
index 0a67164fc95..be6721e28a8 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -11,7 +11,7 @@ export default defineConfig(({ mode }) => ({
       "@/": `${path.resolve(__dirname, "assets")}/`,
     },
   },
-  base: mode === "production" ? "/<__BASE__>/" : "/",
+  base: mode === "production" ? "/{{ .Base }}/" : "/",
   plugins: [
     vue(),
     Icons({
@@ -41,8 +41,9 @@ export default defineConfig(({ mode }) => ({
 const htmlPlugin = (mode) => {
   return {
     name: "html-transform",
+    enforce: "post",
     transformIndexHtml(html) {
-      return mode === "production" ? html.replaceAll("/<__BASE__>", "{{ .Base }}") : html;
+      return mode === "production" ? html.replaceAll("/{{ .Base }}/", "{{ .Base }}/") : html;
     },
   };
 };
diff --git a/web/__snapshots__/web.snapshot b/web/__snapshots__/web.snapshot
index 7a28b04d4e4..aa0f9b2c9db 100644
--- a/web/__snapshots__/web.snapshot
+++ b/web/__snapshots__/web.snapshot
@@ -1,7 +1,7 @@
 /* snapshot: Test_createRoutes_foobar */
 HTTP/1.1 200 OK
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/plain; charset=utf-8
 
 foo page
@@ -9,7 +9,7 @@ foo page
 /* snapshot: Test_createRoutes_index */
 HTTP/1.1 200 OK
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/plain; charset=utf-8
 
 index page
@@ -17,7 +17,7 @@ index page
 /* snapshot: Test_createRoutes_redirect */
 HTTP/1.1 301 Moved Permanently
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/html; charset=utf-8
 Location: /foobar/
 
@@ -26,7 +26,7 @@ Location: /foobar/
 /* snapshot: Test_createRoutes_redirect_with_auth */
 HTTP/1.1 307 Temporary Redirect
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/html; charset=utf-8
 Location: /foobar/login
 
@@ -35,7 +35,7 @@ Location: /foobar/login
 /* snapshot: Test_createRoutes_username_password */
 HTTP/1.1 307 Temporary Redirect
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/html; charset=utf-8
 Location: /login
 
@@ -44,7 +44,7 @@ Location: /login
 /* snapshot: Test_createRoutes_username_password_invalid */
 HTTP/1.1 401 Unauthorized
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/plain; charset=utf-8
 X-Content-Type-Options: nosniff
 
@@ -56,7 +56,7 @@ Connection: close
 Cache-Control: no-transform
 Cache-Control: no-cache
 Connection: keep-alive
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/event-stream
 X-Accel-Buffering: no
 
@@ -66,7 +66,7 @@ data: end of stream
 /* snapshot: Test_createRoutes_version */
 HTTP/1.1 200 OK
 Connection: close
-Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;
+Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;
 Content-Type: text/html
 
 <pre>dev</pre>
diff --git a/web/csp.go b/web/csp.go
index 7d4b41a9fff..a4b712c6656 100644
--- a/web/csp.go
+++ b/web/csp.go
@@ -6,7 +6,7 @@ import (
 
 func cspHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; manifest-src 'self'; connect-src 'self' api.github.com;")
+		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; manifest-src 'self'; connect-src 'self' api.github.com;")
 		next.ServeHTTP(w, r)
 	})
 }