diff --git a/nginx/sites-enabled/karakeep b/nginx/sites-enabled/karakeep
index 197cdbc..8174066 100644
--- a/nginx/sites-enabled/karakeep
+++ b/nginx/sites-enabled/karakeep
@@ -42,7 +42,14 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     set $CSP "default-src https: data: blob:";
     set $CSP "$CSP; img-src 'self' https://* data:";
-    # add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* data: ; style-src 'self' 'unsafe-inline' data:; style-src-elem data:; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:; worker-src 'self' blob: data:; connect-src 'self' data:; object-src 'none' data:; frame-ancestors 'self' data:; font-src 'self' data:";
+    set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
+    set $CSP "$CSP; worker-src 'self' blob: data:";
+    set $CSP "$CSP; connect-src 'self' data:";
+    set $CSP "$CSP; object-src 'none' data:";
+    set $CSP "$CSP; frame-ancestors 'self' data:";
+    set $CSP "$CSP; font-src 'self' data:";
     add_header Content-Security-Policy $CSP;
 
     location /.well-known/acme-challenge/ {
@@ -58,6 +65,7 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Protocol $scheme;
         proxy_set_header X-Forwarded-Host $http_host;
+        proxy_hide_header Content-Security-Policy;
 
         # Disable buffering when the nginx proxy gets very resource heavy upon streaming
         proxy_buffering off;