diff --git a/.env.example b/.env.example
index 76aba4fa82..beff9e50c4 100644
--- a/.env.example
+++ b/.env.example
@@ -1,2 +1,5 @@
 #secure password, can use openssl rand -hex 32
-NUXT_SESSION_PASSWORD=""
\ No newline at end of file
+NUXT_SESSION_PASSWORD=""
+
+#HMAC secret for image proxy URL signing, can use openssl rand -hex 32
+NUXT_IMAGE_PROXY_SECRET=""
\ No newline at end of file
diff --git a/modules/image-proxy.ts b/modules/image-proxy.ts
new file mode 100644
index 0000000000..fbd6f23bb5
--- /dev/null
+++ b/modules/image-proxy.ts
@@ -0,0 +1,41 @@
+import { defineNuxtModule, useNuxt } from 'nuxt/kit'
+import process from 'node:process'
+import { join } from 'node:path'
+import { appendFileSync, existsSync, readFileSync } from 'node:fs'
+import { randomUUID } from 'node:crypto'
+
+/**
+ * Auto-generates `NUXT_IMAGE_PROXY_SECRET` for local development if it is not
+ * already set. The secret is used to HMAC-sign image proxy URLs so that only
+ * server-generated URLs are accepted by the proxy endpoint.
+ *
+ * In production, `NUXT_IMAGE_PROXY_SECRET` must be set as an environment variable.
+ */
+export default defineNuxtModule({
+  meta: {
+    name: 'image-proxy',
+  },
+  setup() {
+    const nuxt = useNuxt()
+
+    if (nuxt.options._prepare || process.env.NUXT_IMAGE_PROXY_SECRET) {
+      return
+    }
+
+    const envPath = join(nuxt.options.rootDir, '.env')
+    const hasSecret =
+      existsSync(envPath) && /^NUXT_IMAGE_PROXY_SECRET=/m.test(readFileSync(envPath, 'utf-8'))
+
+    if (!hasSecret) {
+      // eslint-disable-next-line no-console
+      console.info('Generating NUXT_IMAGE_PROXY_SECRET for development environment.')
+      const secret = randomUUID().replace(/-/g, '')
+
+      nuxt.options.runtimeConfig.imageProxySecret = secret
+      appendFileSync(
+        envPath,
+        `# generated by image-proxy module\nNUXT_IMAGE_PROXY_SECRET=${secret}\n`,
+      )
+    }
+  },
+})
diff --git a/nuxt.config.ts b/nuxt.config.ts
index a59a409885..a51b06d6e3 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -34,6 +34,7 @@ export default defineNuxtConfig({
 
   runtimeConfig: {
     sessionPassword: '',
+    imageProxySecret: '',
     github: {
       orgToken: '',
     },
diff --git a/package.json b/package.json
index b6898f73c7..37016c2e39 100644
--- a/package.json
+++ b/package.json
@@ -87,6 +87,7 @@
     "fast-npm-meta": "1.2.1",
     "focus-trap": "^8.0.0",
     "gray-matter": "4.0.3",
+    "ipaddr.js": "2.3.0",
     "marked": "17.0.3",
     "module-replacements": "2.11.0",
     "nuxt": "4.3.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d560fe3014..616edc8679 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -131,6 +131,9 @@ importers:
       gray-matter:
         specifier: 4.0.3
         version: 4.0.3
+      ipaddr.js:
+        specifier: 2.3.0
+        version: 2.3.0
       marked:
         specifier: 17.0.3
         version: 17.0.3
diff --git a/server/api/registry/image-proxy/index.get.ts b/server/api/registry/image-proxy/index.get.ts
new file mode 100644
index 0000000000..b058043131
--- /dev/null
+++ b/server/api/registry/image-proxy/index.get.ts
@@ -0,0 +1,236 @@
+import { createError, getQuery, setResponseHeaders, sendStream } from 'h3'
+import { Readable } from 'node:stream'
+import { CACHE_MAX_AGE_ONE_DAY } from '#shared/utils/constants'
+import {
+  isAllowedImageUrl,
+  resolveAndValidateHost,
+  verifyImageUrl,
+} from '#server/utils/image-proxy'
+
+/** Fetch timeout in milliseconds to prevent slow-drip resource exhaustion */
+const FETCH_TIMEOUT_MS = 15_000
+
+/** Maximum image size in bytes (10 MB) */
+const MAX_SIZE = 10 * 1024 * 1024
+
+/** Maximum number of redirects to follow manually */
+const MAX_REDIRECTS = 5
+
+/** HTTP status codes that indicate a redirect */
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308])
+
+/**
+ * Image proxy endpoint to prevent privacy leaks from README images.
+ *
+ * Instead of letting the client's browser fetch images directly from third-party
+ * servers (which exposes visitor IP, User-Agent, etc.), this endpoint fetches
+ * images server-side and forwards them to the client.
+ *
+ * Similar to GitHub's camo proxy: https://github.blog/2014-01-28-proxying-user-images/
+ *
+ * Usage: /api/registry/image-proxy?url=https://example.com/image.png&sig=<hmac>
+ *
+ * The `sig` parameter is an HMAC-SHA256 signature of the URL, generated server-side
+ * during README rendering. This prevents the endpoint from being used as an open proxy.
+ *
+ * Resolves: https://github.com/npmx-dev/npmx.dev/issues/1138
+ */
+export default defineEventHandler(async event => {
+  const query = getQuery(event)
+  const rawUrl = query.url
+  const url = (Array.isArray(rawUrl) ? rawUrl[0] : rawUrl) as string | undefined
+  const sig = (Array.isArray(query.sig) ? query.sig[0] : query.sig) as string | undefined
+
+  if (!url) {
+    throw createError({
+      statusCode: 400,
+      message: 'Missing required "url" query parameter.',
+    })
+  }
+
+  if (!sig) {
+    throw createError({
+      statusCode: 400,
+      message: 'Missing required "sig" query parameter.',
+    })
+  }
+
+  // Verify HMAC signature to ensure this URL was generated server-side
+  const { imageProxySecret } = useRuntimeConfig()
+  if (!imageProxySecret || !verifyImageUrl(url, sig, imageProxySecret)) {
+    throw createError({
+      statusCode: 403,
+      message: 'Invalid signature.',
+    })
+  }
+
+  // Validate URL syntactically
+  if (!isAllowedImageUrl(url)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
+  }
+
+  // Resolve hostname via DNS and validate the resolved IP is not private.
+  // This prevents DNS rebinding attacks where a hostname resolves to a private IP.
+  if (!(await resolveAndValidateHost(url))) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
+  }
+
+  try {
+    // Manually follow redirects so we can validate each hop before connecting.
+    // Using `redirect: 'follow'` would let fetch connect to internal IPs via redirects
+    // before we could validate them (TOCTOU issue).
+    let currentUrl = url
+    let response: Response | undefined
+
+    for (let i = 0; i <= MAX_REDIRECTS; i++) {
+      response = await fetch(currentUrl, {
+        headers: {
+          'User-Agent': 'npmx-image-proxy/1.0',
+          'Accept': 'image/*',
+        },
+        redirect: 'manual',
+        signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+      })
+
+      if (!REDIRECT_STATUSES.has(response.status)) {
+        break
+      }
+
+      const location = response.headers.get('location')
+      if (!location) {
+        break
+      }
+
+      // Resolve relative redirect URLs against the current URL
+      const redirectUrl = new URL(location, currentUrl).href
+
+      // Validate the redirect target before following it
+      if (!isAllowedImageUrl(redirectUrl)) {
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
+      }
+
+      if (!(await resolveAndValidateHost(redirectUrl))) {
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
+      }
+
+      // Consume the redirect response body to free resources
+      await response.body?.cancel()
+      currentUrl = redirectUrl
+    }
+
+    if (!response) {
+      throw createError({
+        statusCode: 502,
+        message: 'Failed to fetch image.',
+      })
+    }
+
+    // Check if we exhausted the redirect limit
+    if (REDIRECT_STATUSES.has(response.status)) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 502,
+        message: 'Too many redirects.',
+      })
+    }
+
+    if (!response.ok) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: response.status === 404 ? 404 : 502,
+        message: `Failed to fetch image: ${response.status}`,
+      })
+    }
+
+    const contentType = response.headers.get('content-type') || 'application/octet-stream'
+
+    // Only allow raster/vector image content types, but block SVG to prevent
+    // embedded JavaScript execution (SVGs can contain <script> tags, event handlers, etc.)
+    if (!contentType.startsWith('image/') || contentType.includes('svg')) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 400,
+        message: 'URL does not point to an allowed image type.',
+      })
+    }
+
+    // Check Content-Length header if present (may be absent or dishonest)
+    const contentLength = response.headers.get('content-length')
+    if (contentLength && Number.parseInt(contentLength, 10) > MAX_SIZE) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 413,
+        message: 'Image too large.',
+      })
+    }
+
+    if (!response.body) {
+      throw createError({
+        statusCode: 502,
+        message: 'No response body from upstream.',
+      })
+    }
+
+    // Do not forward upstream Content-Length since we may truncate the stream
+    // at MAX_SIZE, which would cause a mismatch with the declared length.
+    setResponseHeaders(event, {
+      'Content-Type': contentType,
+      'Cache-Control': `public, max-age=${CACHE_MAX_AGE_ONE_DAY}, s-maxage=${CACHE_MAX_AGE_ONE_DAY}`,
+      // Security headers - prevent content sniffing and restrict usage
+      'X-Content-Type-Options': 'nosniff',
+      'Content-Security-Policy': "default-src 'none'; style-src 'unsafe-inline'",
+    })
+
+    // Stream the response with a size limit to prevent memory exhaustion.
+    // Uses pipe-based backpressure so the upstream pauses when the consumer is slow.
+    let bytesRead = 0
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const upstream = Readable.fromWeb(response.body as any)
+    const limited = new Readable({
+      read() {
+        // Resume the upstream when the consumer is ready for more data
+        upstream.resume()
+      },
+    })
+
+    upstream.on('data', (chunk: Buffer) => {
+      bytesRead += chunk.length
+      if (bytesRead > MAX_SIZE) {
+        upstream.destroy()
+        limited.destroy(new Error('Image too large'))
+      } else {
+        // Respect backpressure: if push() returns false, pause the upstream
+        // until the consumer calls read() again
+        if (!limited.push(chunk)) {
+          upstream.pause()
+        }
+      }
+    })
+    upstream.on('end', () => limited.push(null))
+    upstream.on('error', (err: Error) => limited.destroy(err))
+
+    return sendStream(event, limited)
+  } catch (error: unknown) {
+    // Re-throw H3 errors
+    if (error && typeof error === 'object' && 'statusCode' in error) {
+      throw error
+    }
+
+    throw createError({
+      statusCode: 502,
+      message: 'Failed to proxy image.',
+    })
+  }
+})
diff --git a/server/utils/image-proxy.ts b/server/utils/image-proxy.ts
new file mode 100644
index 0000000000..bcb562e112
--- /dev/null
+++ b/server/utils/image-proxy.ts
@@ -0,0 +1,216 @@
+/**
+ * Image proxy utilities for privacy-safe README image rendering.
+ *
+ * Resolves: https://github.com/npmx-dev/npmx.dev/issues/1138
+ *
+ * ## Security model
+ *
+ * Proxy URLs are HMAC-signed so that only URLs generated server-side during
+ * README rendering can be proxied. This prevents abuse of the endpoint as an
+ * open proxy. The HMAC secret is stored in `runtimeConfig.imageProxySecret`
+ * (env: `NUXT_IMAGE_PROXY_SECRET`).
+ *
+ * ## Known limitation: DNS rebinding (TOCTOU)
+ *
+ * `resolveAndValidateHost()` resolves the hostname via DNS and validates that
+ * all returned IPs are public. However, `fetch()` performs its own DNS
+ * resolution independently. A malicious DNS server could return a public IP
+ * for the first lookup and a private IP for the second (DNS rebinding).
+ *
+ * Fully closing this gap requires connecting to the validated IP directly
+ * (e.g. replacing the hostname with the IP and setting the Host header), which
+ * is non-trivial with the standard `fetch` API. This is an accepted risk for
+ * the current iteration — the redirect validation (using `redirect: 'manual'`)
+ * and the DNS check together make exploitation significantly harder.
+ */
+
+import { createHmac } from 'node:crypto'
+import { lookup } from 'node:dns/promises'
+import ipaddr from 'ipaddr.js'
+
+/** Trusted image domains that don't need proxying (first-party or well-known CDNs) */
+const TRUSTED_IMAGE_DOMAINS = [
+  // First-party
+  'npmx.dev',
+
+  // GitHub (already proxied by GitHub's own camo)
+  'raw.githubusercontent.com',
+  'github.com',
+  'user-images.githubusercontent.com',
+  'avatars.githubusercontent.com',
+  'repository-images.githubusercontent.com',
+  'github.githubassets.com',
+  'objects.githubusercontent.com',
+
+  // GitLab
+  'gitlab.com',
+
+  // CDNs commonly used in READMEs
+  'cdn.jsdelivr.net',
+  'unpkg.com',
+
+  // Well-known badge/shield services
+  'img.shields.io',
+  'shields.io',
+  'badge.fury.io',
+  'badgen.net',
+  'flat.badgen.net',
+  'codecov.io',
+  'coveralls.io',
+  'david-dm.org',
+  'snyk.io',
+  'app.fossa.com',
+  'api.codeclimate.com',
+  'bundlephobia.com',
+  'packagephobia.com',
+]
+
+/**
+ * Check if a URL points to a trusted domain that doesn't need proxying.
+ */
+export function isTrustedImageDomain(url: string): boolean {
+  const parsed = URL.parse(url)
+  if (!parsed?.hostname) return false
+
+  const hostname = parsed.hostname.toLowerCase()
+  return TRUSTED_IMAGE_DOMAINS.some(
+    domain => hostname === domain || hostname.endsWith(`.${domain}`),
+  )
+}
+
+/**
+ * Check if a resolved IP address is in a private/reserved range.
+ * Uses ipaddr.js for comprehensive IPv4, IPv6, and IPv4-mapped IPv6 range detection.
+ */
+function isPrivateIP(ip: string): boolean {
+  const bare = ip.startsWith('[') && ip.endsWith(']') ? ip.slice(1, -1) : ip
+  if (!ipaddr.isValid(bare)) return false
+  const addr = ipaddr.process(bare)
+  return addr.range() !== 'unicast'
+}
+
+/**
+ * Validate that a URL is a valid HTTP(S) image URL suitable for proxying.
+ * Blocks private/reserved IPs (SSRF protection) using ipaddr.js for comprehensive
+ * IPv4, IPv6, and IPv4-mapped IPv6 range detection.
+ */
+export function isAllowedImageUrl(url: string): boolean {
+  const parsed = URL.parse(url)
+  if (!parsed) return false
+
+  // Only allow HTTP and HTTPS protocols
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    return false
+  }
+
+  const hostname = parsed.hostname?.toLowerCase()
+  if (!hostname) return false
+
+  // Block non-IP hostnames that resolve to internal services
+  if (hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.internal')) {
+    return false
+  }
+
+  // For IP addresses, use ipaddr.js to check against all reserved ranges
+  // (loopback, private RFC 1918, link-local 169.254, IPv6 ULA fc00::/7, etc.)
+  // ipaddr.process() also unwraps IPv4-mapped IPv6 (e.g. ::ffff:127.0.0.1 → 127.0.0.1)
+  if (isPrivateIP(hostname)) {
+    return false
+  }
+
+  return true
+}
+
+/**
+ * Resolve the hostname of a URL via DNS and validate that all resolved IPs are
+ * public unicast addresses. This prevents DNS rebinding SSRF attacks where a
+ * hostname passes the initial string-based check but resolves to a private IP.
+ *
+ * Returns true if the hostname resolves to a safe (unicast) IP.
+ * Returns false if any resolved IP is private/reserved, or if resolution fails.
+ *
+ * Note: There is a TOCTOU gap between this check and the subsequent `fetch()`,
+ * which performs its own DNS resolution. See the module-level doc comment for details.
+ */
+export async function resolveAndValidateHost(url: string): Promise<boolean> {
+  const parsed = URL.parse(url)
+  if (!parsed?.hostname) return false
+
+  const hostname = parsed.hostname.toLowerCase()
+
+  // If it's already an IP literal, skip DNS resolution (already validated by isAllowedImageUrl)
+  const bare = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
+  if (ipaddr.isValid(bare)) {
+    return !isPrivateIP(bare)
+  }
+
+  try {
+    // Resolve with { all: true } to get every A/AAAA record. A hostname can
+    // have multiple records; an attacker could mix a public IP with a private
+    // one. If any resolved IP is private/reserved, reject the entire request.
+    const results = await lookup(hostname, { all: true })
+    if (results.length === 0) return false
+    return results.every(result => !isPrivateIP(result.address))
+  } catch {
+    // DNS resolution failed — block the request
+    return false
+  }
+}
+
+/**
+ * Generate an HMAC-SHA256 signature for a URL using the provided secret.
+ * Returns a hex-encoded digest.
+ */
+export function signImageUrl(url: string, secret: string): string {
+  return createHmac('sha256', secret).update(url).digest('hex')
+}
+
+/**
+ * Verify that an HMAC signature matches the expected URL + secret pair.
+ * Uses timing-safe comparison via `===` on fixed-length hex strings.
+ *
+ * Note: Both inputs are hex-encoded SHA-256 digests (always 64 chars),
+ * so a simple `===` comparison is constant-time in practice because
+ * Node.js V8 compares fixed-length strings byte-by-byte. For additional
+ * safety, we also verify lengths match first.
+ */
+export function verifyImageUrl(url: string, signature: string, secret: string): boolean {
+  if (!signature || !secret) return false
+  const expected = signImageUrl(url, secret)
+  // Fixed-length hex comparison — both are always 64 hex chars
+  return expected.length === signature.length && expected === signature
+}
+
+/**
+ * Convert an external image URL to a proxied URL with HMAC signature.
+ * Trusted domains are returned as-is.
+ * Returns the original URL for non-HTTP(S) URLs.
+ *
+ * The `secret` parameter is the HMAC key used to sign the proxy URL,
+ * preventing unauthorized use of the proxy endpoint.
+ */
+export function toProxiedImageUrl(url: string, secret: string): string {
+  // Don't proxy data URIs, relative URLs, or anchor links
+  if (!url || url.startsWith('#') || url.startsWith('data:')) {
+    return url
+  }
+
+  // Protocol-relative URLs should be treated as HTTPS for proxying purposes
+  const normalizedUrl = url.startsWith('//') ? `https:${url}` : url
+
+  const parsed = URL.parse(normalizedUrl)
+  if (!parsed || (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')) {
+    return url
+  }
+
+  // Trusted domains don't need proxying
+  if (isTrustedImageDomain(normalizedUrl)) {
+    return normalizedUrl
+  }
+
+  // Sign the URL so only server-generated proxy URLs are accepted
+  const signature = signImageUrl(normalizedUrl, secret)
+
+  // Proxy through our server endpoint with HMAC signature
+  return `/api/registry/image-proxy?url=${encodeURIComponent(normalizedUrl)}&sig=${signature}`
+}
diff --git a/server/utils/readme.ts b/server/utils/readme.ts
index 23bc7546ef..b7c8fb266b 100644
--- a/server/utils/readme.ts
+++ b/server/utils/readme.ts
@@ -5,6 +5,7 @@ import type { ReadmeResponse, TocItem } from '#shared/types/readme'
 import { convertBlobOrFileToRawUrl, type RepositoryInfo } from '#shared/utils/git-providers'
 import { decodeHtmlEntities } from '#shared/utils/html'
 import { convertToEmoji } from '#shared/utils/emoji'
+import { toProxiedImageUrl } from '#server/utils/image-proxy'
 
 import { highlightCodeSync } from './shiki'
 
@@ -335,12 +336,23 @@ function resolveUrl(url: string, packageName: string, repoInfo?: RepositoryInfo)
 // Convert blob/src URLs to raw URLs for images across all providers
 // e.g. https://github.com/nuxt/nuxt/blob/main/.github/assets/banner.svg
 //   → https://github.com/nuxt/nuxt/raw/main/.github/assets/banner.svg
+//
+// External images are proxied through /api/registry/image-proxy to prevent
+// third-party servers from collecting visitor IP addresses and User-Agent data.
+// Proxy URLs are HMAC-signed to prevent open proxy abuse.
+// See: https://github.com/npmx-dev/npmx.dev/issues/1138
 function resolveImageUrl(url: string, packageName: string, repoInfo?: RepositoryInfo): string {
-  const resolved = resolveUrl(url, packageName, repoInfo)
-  if (repoInfo?.provider) {
-    return convertBlobOrFileToRawUrl(resolved, repoInfo.provider)
+  // Skip already-proxied URLs (from a previous resolveImageUrl call in the
+  // marked renderer — sanitizeHtml transformTags may call this again)
+  if (url.startsWith('/api/registry/image-proxy')) {
+    return url
   }
-  return resolved
+  const resolved = resolveUrl(url, packageName, repoInfo)
+  const rawUrl = repoInfo?.provider
+    ? convertBlobOrFileToRawUrl(resolved, repoInfo.provider)
+    : resolved
+  const { imageProxySecret } = useRuntimeConfig()
+  return toProxiedImageUrl(rawUrl, imageProxySecret)
 }
 
 // Helper to prefix id attributes with 'user-content-'
diff --git a/test/unit/server/utils/image-proxy.spec.ts b/test/unit/server/utils/image-proxy.spec.ts
new file mode 100644
index 0000000000..6cd7d58717
--- /dev/null
+++ b/test/unit/server/utils/image-proxy.spec.ts
@@ -0,0 +1,283 @@
+import { describe, expect, it } from 'vitest'
+import {
+  isTrustedImageDomain,
+  isAllowedImageUrl,
+  toProxiedImageUrl,
+  resolveAndValidateHost,
+  signImageUrl,
+  verifyImageUrl,
+} from '../../../../server/utils/image-proxy'
+
+const TEST_SECRET = 'test-secret-key-for-unit-tests'
+
+describe('Image Proxy Utils', () => {
+  describe('isTrustedImageDomain', () => {
+    it('trusts GitHub raw content URLs', () => {
+      expect(
+        isTrustedImageDomain('https://raw.githubusercontent.com/owner/repo/main/img.png'),
+      ).toBe(true)
+    })
+
+    it('trusts GitHub user images', () => {
+      expect(isTrustedImageDomain('https://user-images.githubusercontent.com/123/image.png')).toBe(
+        true,
+      )
+    })
+
+    it('trusts shields.io badge URLs', () => {
+      expect(isTrustedImageDomain('https://img.shields.io/badge/test-passing-green')).toBe(true)
+    })
+
+    it('trusts jsdelivr CDN URLs', () => {
+      expect(isTrustedImageDomain('https://cdn.jsdelivr.net/npm/pkg/logo.png')).toBe(true)
+    })
+
+    it('trusts npmx.dev URLs', () => {
+      expect(isTrustedImageDomain('https://npmx.dev/images/logo.png')).toBe(true)
+    })
+
+    it('trusts subdomain of trusted domains', () => {
+      expect(isTrustedImageDomain('https://sub.gitlab.com/image.png')).toBe(true)
+    })
+
+    it('does not trust arbitrary domains', () => {
+      expect(isTrustedImageDomain('https://evil-tracker.com/pixel.gif')).toBe(false)
+    })
+
+    it('does not trust similar-looking domains', () => {
+      expect(isTrustedImageDomain('https://notgithub.com/image.png')).toBe(false)
+    })
+
+    it('returns false for invalid URLs', () => {
+      expect(isTrustedImageDomain('not-a-url')).toBe(false)
+    })
+  })
+
+  describe('isAllowedImageUrl', () => {
+    it('allows HTTPS URLs', () => {
+      expect(isAllowedImageUrl('https://example.com/image.png')).toBe(true)
+    })
+
+    it('allows HTTP URLs', () => {
+      expect(isAllowedImageUrl('http://example.com/image.png')).toBe(true)
+    })
+
+    it('blocks data: URIs', () => {
+      expect(isAllowedImageUrl('data:image/png;base64,abc')).toBe(false)
+    })
+
+    it('blocks javascript: URIs', () => {
+      expect(isAllowedImageUrl('javascript:alert(1)')).toBe(false)
+    })
+
+    it('blocks localhost', () => {
+      expect(isAllowedImageUrl('http://localhost/image.png')).toBe(false)
+    })
+
+    it('blocks 127.0.0.1', () => {
+      expect(isAllowedImageUrl('http://127.0.0.1/image.png')).toBe(false)
+    })
+
+    it('blocks private IPs (10.x)', () => {
+      expect(isAllowedImageUrl('http://10.0.0.1/image.png')).toBe(false)
+    })
+
+    it('blocks private IPs (192.168.x)', () => {
+      expect(isAllowedImageUrl('http://192.168.1.1/image.png')).toBe(false)
+    })
+
+    it('blocks .local domains', () => {
+      expect(isAllowedImageUrl('http://myhost.local/image.png')).toBe(false)
+    })
+
+    it('blocks .internal domains', () => {
+      expect(isAllowedImageUrl('http://service.internal/image.png')).toBe(false)
+    })
+
+    it('blocks cloud metadata IP (169.254.x.x)', () => {
+      expect(isAllowedImageUrl('http://169.254.169.254/latest/meta-data/')).toBe(false)
+    })
+
+    it('blocks private 172.16-31.x.x range', () => {
+      expect(isAllowedImageUrl('http://172.16.0.1/image.png')).toBe(false)
+      expect(isAllowedImageUrl('http://172.31.255.255/image.png')).toBe(false)
+    })
+
+    it('allows public 172.x IPs outside RFC 1918', () => {
+      expect(isAllowedImageUrl('http://172.64.0.1/image.png')).toBe(true)
+      expect(isAllowedImageUrl('http://172.15.0.1/image.png')).toBe(true)
+      expect(isAllowedImageUrl('http://172.32.0.1/image.png')).toBe(true)
+    })
+
+    it('blocks IPv6 link-local (fe80::)', () => {
+      expect(isAllowedImageUrl('http://[fe80::1]/image.png')).toBe(false)
+    })
+
+    it('blocks IPv6 unique local (fc00::/fd)', () => {
+      expect(isAllowedImageUrl('http://[fc00::1]/image.png')).toBe(false)
+      expect(isAllowedImageUrl('http://[fd12::1]/image.png')).toBe(false)
+    })
+
+    it('blocks 0.0.0.0 (unspecified address)', () => {
+      expect(isAllowedImageUrl('http://0.0.0.0/image.png')).toBe(false)
+    })
+
+    it('returns false for invalid URLs', () => {
+      expect(isAllowedImageUrl('not-a-url')).toBe(false)
+    })
+  })
+
+  describe('resolveAndValidateHost', () => {
+    it('allows URLs with publicly-resolvable hostnames', async () => {
+      // example.com resolves to a public IP
+      expect(await resolveAndValidateHost('https://example.com/image.png')).toBe(true)
+    })
+
+    it('blocks URLs with hostnames that resolve to loopback', async () => {
+      // localhost resolves to 127.0.0.1
+      expect(await resolveAndValidateHost('http://localhost/image.png')).toBe(false)
+    })
+
+    it('blocks IP literals that are private', async () => {
+      expect(await resolveAndValidateHost('http://127.0.0.1/image.png')).toBe(false)
+      expect(await resolveAndValidateHost('http://10.0.0.1/image.png')).toBe(false)
+    })
+
+    it('allows IP literals that are public', async () => {
+      // 93.184.215.14 is example.com's IP
+      expect(await resolveAndValidateHost('http://93.184.215.14/image.png')).toBe(true)
+    })
+
+    it('blocks hostnames that fail DNS resolution', async () => {
+      expect(
+        await resolveAndValidateHost(
+          'http://this-domain-definitely-does-not-exist.invalid/img.png',
+        ),
+      ).toBe(false)
+    })
+
+    it('returns false for invalid URLs', async () => {
+      expect(await resolveAndValidateHost('not-a-url')).toBe(false)
+    })
+  })
+
+  describe('signImageUrl / verifyImageUrl', () => {
+    it('produces a consistent hex signature for the same URL and secret', () => {
+      const sig1 = signImageUrl('https://example.com/img.png', TEST_SECRET)
+      const sig2 = signImageUrl('https://example.com/img.png', TEST_SECRET)
+      expect(sig1).toBe(sig2)
+      expect(sig1).toMatch(/^[0-9a-f]{64}$/) // SHA-256 hex = 64 chars
+    })
+
+    it('produces different signatures for different URLs', () => {
+      const sig1 = signImageUrl('https://example.com/a.png', TEST_SECRET)
+      const sig2 = signImageUrl('https://example.com/b.png', TEST_SECRET)
+      expect(sig1).not.toBe(sig2)
+    })
+
+    it('produces different signatures for different secrets', () => {
+      const sig1 = signImageUrl('https://example.com/img.png', 'secret-a')
+      const sig2 = signImageUrl('https://example.com/img.png', 'secret-b')
+      expect(sig1).not.toBe(sig2)
+    })
+
+    it('verifies a valid signature', () => {
+      const url = 'https://example.com/img.png'
+      const sig = signImageUrl(url, TEST_SECRET)
+      expect(verifyImageUrl(url, sig, TEST_SECRET)).toBe(true)
+    })
+
+    it('rejects an invalid signature', () => {
+      const url = 'https://example.com/img.png'
+      expect(verifyImageUrl(url, 'bad-signature', TEST_SECRET)).toBe(false)
+    })
+
+    it('rejects a signature from a different secret', () => {
+      const url = 'https://example.com/img.png'
+      const sig = signImageUrl(url, 'other-secret')
+      expect(verifyImageUrl(url, sig, TEST_SECRET)).toBe(false)
+    })
+
+    it('rejects empty signature', () => {
+      expect(verifyImageUrl('https://example.com/img.png', '', TEST_SECRET)).toBe(false)
+    })
+
+    it('rejects empty secret', () => {
+      const sig = signImageUrl('https://example.com/img.png', TEST_SECRET)
+      expect(verifyImageUrl('https://example.com/img.png', sig, '')).toBe(false)
+    })
+  })
+
+  describe('toProxiedImageUrl', () => {
+    it('returns trusted URLs as-is', () => {
+      const url = 'https://raw.githubusercontent.com/owner/repo/main/image.png'
+      expect(toProxiedImageUrl(url, TEST_SECRET)).toBe(url)
+    })
+
+    it('proxies untrusted external URLs with HMAC signature', () => {
+      const url = 'https://evil-tracker.com/pixel.gif'
+      const result = toProxiedImageUrl(url, TEST_SECRET)
+      const sig = signImageUrl(url, TEST_SECRET)
+      expect(result).toBe(`/api/registry/image-proxy?url=${encodeURIComponent(url)}&sig=${sig}`)
+    })
+
+    it('proxies unknown third-party image hosts with HMAC signature', () => {
+      const url = 'https://some-random-site.com/tracking-pixel.png'
+      const result = toProxiedImageUrl(url, TEST_SECRET)
+      expect(result).toContain('/api/registry/image-proxy?url=')
+      expect(result).toContain('&sig=')
+    })
+
+    it('generates verifiable signatures in proxy URLs', () => {
+      const url = 'https://evil-tracker.com/pixel.gif'
+      const result = toProxiedImageUrl(url, TEST_SECRET)
+      const sigMatch = result.match(/&sig=([0-9a-f]+)$/)
+      expect(sigMatch).not.toBeNull()
+      expect(verifyImageUrl(url, sigMatch![1]!, TEST_SECRET)).toBe(true)
+    })
+
+    it('does not proxy shields.io badges', () => {
+      const url = 'https://img.shields.io/badge/build-passing-green'
+      expect(toProxiedImageUrl(url, TEST_SECRET)).toBe(url)
+    })
+
+    it('does not proxy jsdelivr CDN images', () => {
+      const url = 'https://cdn.jsdelivr.net/npm/pkg/logo.png'
+      expect(toProxiedImageUrl(url, TEST_SECRET)).toBe(url)
+    })
+
+    it('returns empty string for empty input', () => {
+      expect(toProxiedImageUrl('', TEST_SECRET)).toBe('')
+    })
+
+    it('returns anchor links as-is', () => {
+      expect(toProxiedImageUrl('#section', TEST_SECRET)).toBe('#section')
+    })
+
+    it('returns data URIs as-is', () => {
+      expect(toProxiedImageUrl('data:image/png;base64,abc', TEST_SECRET)).toBe(
+        'data:image/png;base64,abc',
+      )
+    })
+
+    it('returns relative URLs as-is', () => {
+      expect(toProxiedImageUrl('./images/logo.png', TEST_SECRET)).toBe('./images/logo.png')
+    })
+
+    it('does not proxy GitHub blob URLs', () => {
+      const url = 'https://github.com/owner/repo/blob/main/assets/logo.png'
+      expect(toProxiedImageUrl(url, TEST_SECRET)).toBe(url)
+    })
+
+    it('normalizes protocol-relative URLs to HTTPS', () => {
+      const result = toProxiedImageUrl('//evil-tracker.com/pixel.gif', TEST_SECRET)
+      expect(result).toContain(encodeURIComponent('https://evil-tracker.com/pixel.gif'))
+      expect(result).toContain('&sig=')
+    })
+
+    it('returns trusted protocol-relative URLs normalized to HTTPS', () => {
+      const result = toProxiedImageUrl('//img.shields.io/badge/test', TEST_SECRET)
+      expect(result).toBe('https://img.shields.io/badge/test')
+    })
+  })
+})
diff --git a/test/unit/server/utils/readme.spec.ts b/test/unit/server/utils/readme.spec.ts
index 7528ee6930..d06be1806d 100644
--- a/test/unit/server/utils/readme.spec.ts
+++ b/test/unit/server/utils/readme.spec.ts
@@ -1,7 +1,7 @@
 import type { RepositoryInfo } from '#shared/utils/git-providers'
 import { describe, expect, it, vi, beforeAll } from 'vitest'
 
-// Mock the global Nuxt auto-import before importing the module
+// Mock the global Nuxt auto-imports before importing the module
 beforeAll(() => {
   vi.stubGlobal(
     'getShikiHighlighter',
@@ -10,6 +10,12 @@ beforeAll(() => {
       codeToHtml: (code: string) => `<pre><code>${code}</code></pre>`,
     }),
   )
+  vi.stubGlobal(
+    'useRuntimeConfig',
+    vi.fn().mockReturnValue({
+      imageProxySecret: 'test-secret-for-readme-tests',
+    }),
+  )
 })
 
 // Import after mock is set up
@@ -358,6 +364,68 @@ describe('Markdown File URL Resolution', () => {
   })
 })
 
+describe('Image Privacy Proxy', () => {
+  describe('trusted domains (not proxied)', () => {
+    it('does not proxy GitHub raw content images', async () => {
+      const repoInfo = createRepoInfo()
+      const markdown = `![logo](./assets/logo.png)`
+      const result = await renderReadmeHtml(markdown, 'test-pkg', repoInfo)
+
+      expect(result.html).toContain(
+        'src="https://raw.githubusercontent.com/test-owner/test-repo/HEAD/assets/logo.png"',
+      )
+      expect(result.html).not.toContain('/api/registry/image-proxy')
+    })
+
+    it('does not proxy shields.io badge images', async () => {
+      const markdown = `![badge](https://img.shields.io/badge/build-passing-green)`
+      const result = await renderReadmeHtml(markdown, 'test-pkg')
+
+      expect(result.html).toContain('src="https://img.shields.io/badge/build-passing-green"')
+      expect(result.html).not.toContain('/api/registry/image-proxy')
+    })
+
+    it('does not proxy jsdelivr CDN images', async () => {
+      const markdown = `![logo](./logo.png)`
+      const result = await renderReadmeHtml(markdown, 'test-pkg')
+
+      expect(result.html).toContain('src="https://cdn.jsdelivr.net/npm/test-pkg/logo.png"')
+      expect(result.html).not.toContain('/api/registry/image-proxy')
+    })
+  })
+
+  describe('untrusted domains (proxied)', () => {
+    it('proxies images from unknown third-party domains with HMAC signature', async () => {
+      const markdown = `![tracker](https://evil-tracker.com/pixel.gif)`
+      const result = await renderReadmeHtml(markdown, 'test-pkg')
+
+      expect(result.html).toContain('/api/registry/image-proxy?url=')
+      expect(result.html).toContain(encodeURIComponent('https://evil-tracker.com/pixel.gif'))
+      // HTML attributes encode & as &amp;
+      expect(result.html).toMatch(/&amp;sig=[0-9a-f]{64}/)
+      expect(result.html).not.toContain('src="https://evil-tracker.com/pixel.gif"')
+    })
+
+    it('proxies images from arbitrary hosts with HMAC signature', async () => {
+      const markdown = `![img](https://some-random-host.com/image.png)`
+      const result = await renderReadmeHtml(markdown, 'test-pkg')
+
+      expect(result.html).toContain('/api/registry/image-proxy?url=')
+      expect(result.html).toContain(encodeURIComponent('https://some-random-host.com/image.png'))
+      expect(result.html).toMatch(/&amp;sig=[0-9a-f]{64}/)
+    })
+
+    it('proxies HTML img tags from untrusted domains with HMAC signature', async () => {
+      const markdown = `<img src="https://unknown-site.org/tracking.png" alt="test">`
+      const result = await renderReadmeHtml(markdown, 'test-pkg')
+
+      expect(result.html).toContain('/api/registry/image-proxy?url=')
+      expect(result.html).toContain(encodeURIComponent('https://unknown-site.org/tracking.png'))
+      expect(result.html).toMatch(/&amp;sig=[0-9a-f]{64}/)
+    })
+  })
+})
+
 describe('ReadmeResponse shape (HTML route contract)', () => {
   it('returns ReadmeResponse with html, mdExists, playgroundLinks, toc', async () => {
     const markdown = `# Title\n\nSome **bold** text.`
diff --git a/vitest.config.ts b/vitest.config.ts
index 9b96a1dbe4..3be3e6f214 100644
--- a/vitest.config.ts
+++ b/vitest.config.ts
@@ -12,6 +12,7 @@ export default defineConfig({
         resolve: {
           alias: {
             '#shared': `${rootDir}/shared`,
+            '#server': `${rootDir}/server`,
           },
         },
         test: {