diff --git a/app.py b/app.py
index c28abdc..9aaf19f 100644
--- a/app.py
+++ b/app.py
@@ -68,12 +68,39 @@ async def static_files(filename):
     return await send_from_directory(app.static_folder, filename)
 
 
+# Allowed file extensions for static frontend assets
+ALLOWED_STATIC_EXTENSIONS = {
+    ".html",
+    ".css",
+    ".js",
+    ".svg",
+    ".png",
+    ".ico",
+    ".jpg",
+    ".jpeg",
+    ".webp",
+    ".woff",
+    ".woff2",
+    ".ttf",
+    ".txt",
+}
+
+# JSON files explicitly allowed to be served (e.g. PWA manifest)
+ALLOWED_JSON_FILES = {"manifest.json"}
+
+
 # Serve the React app for all routes (catch-all)
 @app.route("/", defaults={"path": ""})
 @app.route("/<path:path>")
 async def serve_react_app(path):
-    if path and os.path.exists(os.path.join(app.template_folder, path)):
-        return await send_from_directory(app.template_folder, path)
+    if path:
+        ext = os.path.splitext(path)[1].lower()
+        basename = os.path.basename(path)
+        allowed = ext in ALLOWED_STATIC_EXTENSIONS or (
+            ext == ".json" and basename in ALLOWED_JSON_FILES
+        )
+        if allowed and os.path.exists(os.path.join(app.template_folder, path)):
+            return await send_from_directory(app.template_folder, path)
     return await render_template("index.html")
 
 
diff --git a/startup.sh b/startup.sh
index 50d3102..622b3bf 100644
--- a/startup.sh
+++ b/startup.sh
@@ -12,19 +12,17 @@ if [ "${OBSIDIAN_CONTINUOUS_SYNC}" = "true" ]; then
 
     VAULT_PATH="${OBSIDIAN_VAULT_PATH:-/app/data/obsidian}"
 
-    # Login
-    ob login --email "${OBSIDIAN_EMAIL}" --password "${OBSIDIAN_PASSWORD}" && \
-    # Setup sync for vault
-    ob sync-setup \
-        --vault "${OBSIDIAN_VAULT_ID}" \
-        --path "${VAULT_PATH}" \
-        --password "${OBSIDIAN_E2E_PASSWORD}" \
-        --device-name "${OBSIDIAN_DEVICE_NAME:-simbarag}" && \
-    # Start continuous sync in background
-    echo "Starting Obsidian continuous sync..." && \
-    ob sync --continuous --path "${VAULT_PATH}" &
-
-    if [ $? -ne 0 ]; then
+    # Login and setup sync (foreground, must complete before sync starts)
+    if ob login --email "${OBSIDIAN_EMAIL}" --password "${OBSIDIAN_PASSWORD}" && \
+       ob sync-setup \
+           --vault "${OBSIDIAN_VAULT_ID}" \
+           --path "${VAULT_PATH}" \
+           --password "${OBSIDIAN_E2E_PASSWORD}" \
+           --device-name "${OBSIDIAN_DEVICE_NAME:-simbarag}"; then
+        # Start continuous sync in background
+        echo "Starting Obsidian continuous sync..."
+        ob sync --continuous --path "${VAULT_PATH}" &
+    else
         echo "WARNING: Obsidian sync setup failed. Continuing without sync."
     fi
 fi