diff --git a/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java b/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
index 647af37c2d..080bf1bffd 100644
--- a/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
+++ b/services/submission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
@@ -55,6 +55,7 @@ protected void configure(HttpSecurity http) throws Exception {
         .mvcMatchers(HttpMethod.POST, SUBMISSION_ROUTE).permitAll()
         .anyRequest().denyAll()
         .and().csrf().disable();
+    http.headers().contentSecurityPolicy("default-src 'self'");
   }
 
 }