diff --git a/Dfe.Academies.External.Web/Program.cs b/Dfe.Academies.External.Web/Program.cs
index c0ffde2ce..76c505aaf 100644
--- a/Dfe.Academies.External.Web/Program.cs
+++ b/Dfe.Academies.External.Web/Program.cs
@@ -205,8 +205,14 @@ static IAsyncPolicy<HttpResponseMessage> GetRetryPolicy()
 // added content security policy, manual for now but should probably look at this package in the future NWebsec.AspNetCore.Middleware
 app.Use(async (context, next) =>
 {
-	context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' wss://localhost:44352/Dfe.Academies.External.Web/; script-src 'self' 'sha256-qL+CKdDo+s+wbAVlMRNaKTthlML5CHI7jaNN8xIHquM=' 'sha256-oJB7VN5D3FsVWp4IBkMG5wPNDs4/Yf73/2mCN7Va9ao=' 'sha256-mmu7ufJkx6yK/dAWH2qN/k0kRhIj7O1GP53WoweDgVw=' 'sha256-YXeAP6J7c5mHporqs1+yXBn3qwau95EZrnniBY+4bpQ=' 'sha256-l1eTVSK8DTnK8+yloud7wZUqFrI0atVo6VlC6PJvYaQ=' https://www.googletagmanager.com/gtm.js; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'");
-
+	if (!context.Response.Headers.ContainsKey("Content-Security-Policy"))
+	{
+		context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' wss://localhost:44352/Dfe.Academies.External.Web/; script-src 'self' 'sha256-qL+CKdDo+s+wbAVlMRNaKTthlML5CHI7jaNN8xIHquM=' 'sha256-oJB7VN5D3FsVWp4IBkMG5wPNDs4/Yf73/2mCN7Va9ao=' 'sha256-mmu7ufJkx6yK/dAWH2qN/k0kRhIj7O1GP53WoweDgVw=' 'sha256-YXeAP6J7c5mHporqs1+yXBn3qwau95EZrnniBY+4bpQ=' 'sha256-l1eTVSK8DTnK8+yloud7wZUqFrI0atVo6VlC6PJvYaQ=' https://www.googletagmanager.com/gtm.js; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'");
+	}
+	if (!context.Response.Headers.ContainsKey("Feature-Policy"))
+	{
+		context.Response.Headers.Add("Feature-Policy", "accelerometer 'none'; camera 'none'; microphone 'none';");
+	}
 	await next();
 });