diff --git a/server/resource.go b/server/resource.go
index 714e9a47..9958e5fc 100644
--- a/server/resource.go
+++ b/server/resource.go
@@ -265,6 +265,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 		c.Response().Writer.Header().Set("Content-Type", resource.Type)
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
 		if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write response").SetInternal(err)
 		}
diff --git a/server/server.go b/server/server.go
index 5f43e7f8..243f26ad 100644
--- a/server/server.go
+++ b/server/server.go
@@ -44,10 +44,6 @@ func NewServer(profile *profile.Profile) *Server {
 		Timeout:      30 * time.Second,
 	}))
 
-	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
-		ContentSecurityPolicy: "default-src 'self'",
-	}))
-
 	embedFrontend(e)
 
 	// In dev mode, set the const secret key to make signin session persistence.