diff --git a/Dockerfile b/Dockerfile
index 714ab10..898e128 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,4 +54,4 @@ EXPOSE 8085/tcp
 
 WORKDIR /usr/share/nginx
 
-CMD ["nginx"]
+CMD ["/bin/sh", "-c", "TURNKEY_FRAME_ANCESTORS=${TURNKEY_FRAME_ANCESTORS:-'none'} envsubst '${TURNKEY_FRAME_ANCESTORS}' < /etc/nginx/nginx.conf > /tmp/nginx-final.conf && nginx -c /tmp/nginx-final.conf"]
diff --git a/nginx.conf b/nginx.conf
index 7ea68e7..da0951e 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -72,8 +72,8 @@ http {
     }
     server {
         listen 8086;
-        # optional: add CSP-related configs here later
         root /usr/share/nginx/templated/export-and-sign;
+        add_header Content-Security-Policy "frame-ancestors ${TURNKEY_FRAME_ANCESTORS}";
         location / {
             try_files $uri $uri/ /index.html =404;
         }