diff --git a/src/proxy.ts b/src/proxy.ts
index 7d3cf08..9438516 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -12,30 +12,27 @@ async function sha256(input: string): Promise<string> {
 export default async function proxy(request: NextRequest) {
   const { pathname } = request.nextUrl
 
-  // Allow: /zugang page, site-auth API, static assets, favicon
+  // Allow: /zugang page, site-auth API, static assets, favicon, Next.js internals
   if (
     pathname === '/zugang' ||
     pathname.startsWith('/api/site-auth') ||
     pathname.startsWith('/_next') ||
     pathname === '/favicon.ico' ||
-    pathname === '/icon.svg'
+    pathname === '/icon.svg' ||
+    pathname.startsWith('/icon')
   ) {
     return NextResponse.next()
   }
-  
-  // Public API routes (no auth required)
-  if (
-    pathname.startsWith('/api/contributions') ||
-    pathname.startsWith('/api/upload') ||
-    pathname.startsWith('/api/candles') ||
-    pathname.startsWith('/api/family-upload') ||
-    pathname.startsWith('/api/timeline') ||
-    pathname.startsWith('/api/recipes') ||
-    pathname.startsWith('/api/memories') ||
-    pathname.startsWith('/api/media') ||
-    pathname.startsWith('/api/files') ||
-    pathname.startsWith('/api/auth')
-  ) {
+
+  // Allow all API routes and Next.js internal action requests
+  if (pathname.startsWith('/api/')) {
+    return NextResponse.next()
+  }
+
+  // Allow Next.js RSC/Server Action requests (internal framework requests)
+  const nextAction = request.headers.get('next-action')
+  const rsc = request.headers.get('rsc')
+  if (nextAction || rsc) {
     return NextResponse.next()
   }