diff --git a/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java b/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java
index e5bcd950fa..3c00633073 100644
--- a/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java
+++ b/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java
@@ -42,9 +42,9 @@ public SecurityFilterChain securityHeadersFilter(HttpSecurity http) throws Excep
     }
 
     private HttpSecurity setHeaders(HttpSecurity http) throws Exception {
-        http.headers(h -> h.contentSecurityPolicy(e -> e.policyDirectives("script-src 'self' 'unsafe-inline';"
-                + "        style-src 'self' 'unsafe-inline';" + "        object-src 'none';"
-                + "        base-uri 'self';"
+        http.headers(h -> h.contentSecurityPolicy(e -> e.policyDirectives("default-src 'self';"
+                + "script-src 'self' 'unsafe-inline';" + "        style-src 'self' 'unsafe-inline';"
+                + "        object-src 'none';" + "        base-uri 'self';"
                 + "        connect-src 'self' https://sso.puzzle.ch http://localhost:8544; https://sso.puzzle.ch/auth/realms/pitc/.well-known/openid-configuration; https://idp-mock-okr.ocp-internal.cloudscale.puzzle.ch;"
                 + "        font-src 'self';" + "        frame-src 'self';" + "        img-src 'self';"
                 + "        manifest-src 'self';" + "        media-src 'self';" + "        worker-src 'none';"))