diff --git a/deploy/docker/observability-ui.dockerfile b/deploy/docker/observability-ui.dockerfile
index 3519b5b..7599035 100644
--- a/deploy/docker/observability-ui.dockerfile
+++ b/deploy/docker/observability-ui.dockerfile
@@ -23,6 +23,7 @@ FROM ${BASE_IMAGE_URL}nginxinc/nginx-unprivileged:1.25
 WORKDIR /observability_ui
 
 ENV OBSERVABILITY_API_HOSTNAME=
+ENV OBSERVABILITY_CSP_EXTRA=
 ENV NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
 
 COPY --from=build-image --chown=nginx:nginx /observability_ui/dist /observability_ui
diff --git a/observability_ui/nginx.conf b/observability_ui/nginx.conf
index 50295aa..f4e08e7 100644
--- a/observability_ui/nginx.conf
+++ b/observability_ui/nginx.conf
@@ -58,11 +58,12 @@ http {
       sub_filter_once off;
       sub_filter RandomNonceValue $request_id;
       set $api_hostname "$OBSERVABILITY_API_HOSTNAME";
+      set $csp_extra "$OBSERVABILITY_CSP_EXTRA";
 
       try_files /shell$uri /shell/index.html =404;
 
       add_header X-Content-Type-Options nosniff always;
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.materialdesignicons.com https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.materialdesignicons.com https://cdn.jsdelivr.net ${api_hostname}; upgrade-insecure-requests;" always;
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.materialdesignicons.com https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.materialdesignicons.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;
     }
   }
 }