diff --git a/app/server.go b/app/server.go
index 55af6f1..b8c158c 100644
--- a/app/server.go
+++ b/app/server.go
@@ -139,7 +139,13 @@ func (a *App) SetServerSettings() {
 
 	e.Use(session.Middleware(store))
 
-	e.Use(middleware.Secure())
+	e.Use(
+		middleware.SecureWithConfig(
+			middleware.SecureConfig{
+				ContentSecurityPolicy: a.setting.HTTPCSP(),
+			},
+		),
+	)
 
 	if a.setting.HTTPGzipEnabled() {
 		e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
diff --git a/app/settings/helper.go b/app/settings/helper.go
index 8d7ecb8..540cc5a 100644
--- a/app/settings/helper.go
+++ b/app/settings/helper.go
@@ -50,6 +50,9 @@ func (s *Settings) sortOutFlags(conf *config.Config, hostFlag *string, portFlag
 		if d := *develFlag; d != conf.DevelMode {
 			log.Debugf(overrideMsg, "develMode", d)
 			s.SetIsDevel(d)
+
+			log.Debug("making sure that CSP is set appropriately for devel mode (flag override)")
+			s.SetHTTPCSP(conf.HTTP.ContentSecurityPolicy)
 		}
 	}
 }
diff --git a/app/settings/settings.go b/app/settings/settings.go
index 287ae7d..0d913f7 100644
--- a/app/settings/settings.go
+++ b/app/settings/settings.go
@@ -22,6 +22,7 @@ type Settings struct {
 	httpGzipLevel           int
 	httpRateLimitEnabled    bool
 	httpRateLimit           int
+	httpCSP                 string
 	isLive                  bool
 	isDevel                 bool
 	initCreateAdmin         bool
@@ -49,6 +50,8 @@ const (
 	defaultPort                    = 3000
 	defaultSessionMaxAge           = 86400 // seconds.
 	defaultHTTPDomain              = "localhost"
+	defaultCSP                     = "upgrade-insecure-requests; default-src 'self'; manifest-src 'self'; font-src 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
+	defaultCSPDevel                = "default-src 'self'; manifest-src 'self'; font-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002; style-src 'self'; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
 	defaultServerWriteTimeout      = 30 * time.Second
 	defaultServerReadHeaderTimeout = 30 * time.Second
 	defaultLoggerSkipAssets        = true
@@ -138,6 +141,15 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
 		s.sessionEncrIsHex = true
 	}
 
+	if conf.Init.CreateAdmin {
+		s.SetInitCreateAdmin(true)
+		s.SetInitAdminPassword(conf.Init.AdminPassword)
+	}
+
+	if conf.Registration.Allowed {
+		s.RegistrationAllowed = true
+	}
+
 	if conf.HTTP.Gzip > 0 {
 		s.SetHTTPGzipEnabled(true)
 		s.SetHTTPGzipLevel(conf.HTTP.Gzip)
@@ -148,15 +160,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
 		s.SetHTTPRateLimit(conf.HTTP.RateLimit)
 	}
 
-	if conf.Init.CreateAdmin {
-		s.SetInitCreateAdmin(true)
-		s.SetInitAdminPassword(conf.Init.AdminPassword)
-	}
-
-	if conf.Registration.Allowed {
-		s.RegistrationAllowed = true
-	}
-
+	s.SetHTTPCSP(conf.HTTP.ContentSecurityPolicy)
 	s.SetHTTPDomain(conf.HTTP.Domain)
 	s.SetHTTPSecure(conf.HTTP.Secure)
 	s.setAPIKeys()
@@ -269,6 +273,11 @@ func (s *Settings) HTTPRateLimit() int {
 	return s.httpRateLimit
 }
 
+// HTTPCSP returns the httpCSP.
+func (s *Settings) HTTPCSP() string {
+	return s.httpCSP
+}
+
 // AssetsPath returns the assetsPath.
 func (s *Settings) AssetsPath() string {
 	return s.assetsPath
@@ -412,6 +421,20 @@ func (s *Settings) SetHTTPRateLimit(rateLimit int) {
 	s.httpRateLimit = rateLimit
 }
 
+// SetHTTPCSP sets the content security policy.
+func (s *Settings) SetHTTPCSP(csp string) {
+	switch csp {
+	case "":
+		if s.isDevel {
+			s.httpCSP = defaultCSPDevel
+		} else {
+			s.httpCSP = defaultCSP
+		}
+	default:
+		s.httpCSP = csp
+	}
+}
+
 // SetAssetsPath sets the assetsPath.
 func (s *Settings) SetAssetsPath(assetsPath string) {
 	s.assetsPath = assetsPath
diff --git a/handlers/page.go b/handlers/page.go
index bffca83..8b278e9 100644
--- a/handlers/page.go
+++ b/handlers/page.go
@@ -12,6 +12,7 @@ type page struct {
 	Title      string
 	Name       string
 	CSRF       string
+	CSP        string
 	DevelMode  bool
 	Current    string
 	Error      string
@@ -28,6 +29,7 @@ func newPage() *page {
 	p := &page{
 		AppName:   appName,
 		AppVer:    appver,
+		CSP:       setting.HTTPCSP(),
 		DevelMode: appIsDevel,
 		Data:      data,
 	}
diff --git a/templates/head.tmpl b/templates/head.tmpl
index 8f41059..e23f5a1 100644
--- a/templates/head.tmpl
+++ b/templates/head.tmpl
@@ -22,12 +22,9 @@
 <link href="/assets/css/pcmt.css" rel="preload" as="style" integrity="{{- sha384 "css/pcmt.css" -}}">
 <link href="/assets/css/pcmt.css" rel="stylesheet" integrity="{{- sha384 "css/pcmt.css" -}}">
 
+<meta http-equiv="content-security-policy" content="{{ .CSP }}"/>
 {{- if .DevelMode -}}
-<!-- <meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002; style-src 'self' 'unsafe-inline';"/> -->
-<meta http-equiv="content-security-policy" content="default-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002;"/>
 <!-- inject browsersync script if running in devel mode -->
 {{ template "browsersync.tmpl" }}
-{{ else }}
-<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self'; script-src 'self';"/>
 {{- end -}}
 </head>