diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index eee387e4..94216327 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -225,6 +225,7 @@ http {
 
         location = /web-install {
             include /etc/nginx/snippets/security-headers-base.conf;
+            add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
             add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=()" always;
             # Feature-Policy is being replaced by Permissions-Policy
             add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; screen-wake-lock 'none'; sync-xhr 'none'; xr-spatial-tracking 'none'" always;
diff --git a/nginx/snippets/security-headers-base.conf b/nginx/snippets/security-headers-base.conf
index b5559fe7..4efea358 100644
--- a/nginx/snippets/security-headers-base.conf
+++ b/nginx/snippets/security-headers-base.conf
@@ -4,7 +4,6 @@ add_header Referrer-Policy "no-referrer" always;
 add_header Expect-CT "enforce, max-age=63072000" always;
 add_header Cross-Origin-Opener-Policy "same-origin" always;
 add_header Cross-Origin-Embedder-Policy "require-corp" always;
-add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'" always;
 
 # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
 add_header X-Frame-Options "DENY" always;
diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf
index 5ead941c..af0800f0 100644
--- a/nginx/snippets/security-headers.conf
+++ b/nginx/snippets/security-headers.conf
@@ -1,5 +1,7 @@
 include snippets/security-headers-base.conf;
 
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'" always;
+
 add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
 
 # Feature-Policy is being replaced by Permissions-Policy