diff --git a/Dockerfile-react b/Dockerfile-react
index 5ab4dde604..86e7529877 100644
--- a/Dockerfile-react
+++ b/Dockerfile-react
@@ -18,3 +18,4 @@ ARG BUILD_TARGET
 
 COPY --from=builder /build/$BUILD_TARGET/ /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/nginx.conf
+COPY csp-headers.conf /etc/nginx/csp-headers.conf
diff --git a/csp-headers.conf b/csp-headers.conf
new file mode 100644
index 0000000000..ae509ce6b8
--- /dev/null
+++ b/csp-headers.conf
@@ -0,0 +1,3 @@
+# Included from each location block that sets Cache-Control (nginx does not inherit
+# add_header from http/server when a location defines its own add_header).
+add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com  https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;
diff --git a/nginx.conf b/nginx.conf
index d755977e96..922ee8a487 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -50,12 +50,14 @@ http {
         location /assets {
             # Strongly cache these things for at least 30 days:
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location /static {
             # Maybe also strongly cache these things for at least 30 days?
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
@@ -63,11 +65,13 @@ http {
             # Index pages, and also serves unknown URLs too from @default.
             # Do not allow caching of these index pages at all:
             add_header Cache-Control "no-cache, no-store, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location ~ ^/unsupported_browser.(html|js)$ {
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
+                include /etc/nginx/csp-headers.conf;
                 try_files $uri @default;
         }
 
@@ -78,6 +82,7 @@ http {
             }
             # Allow caching, but require revalidation every time:
             add_header Cache-Control "no-cache, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }