diff --git a/middlewares/content-security-policy/index.ts b/middlewares/content-security-policy/index.ts
index d336631..38cc436 100644
--- a/middlewares/content-security-policy/index.ts
+++ b/middlewares/content-security-policy/index.ts
@@ -68,7 +68,7 @@ const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
   "wasm-unsafe-eval",
 ]);
 
-const getDefaultDirectives = () => ({ ...DEFAULT_DIRECTIVES });
+const getDefaultDirectives = () => structuredClone(DEFAULT_DIRECTIVES);
 
 const dashify = (str: string): string =>
   str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
diff --git a/test/content-security-policy.test.ts b/test/content-security-policy.test.ts
index 897c6af..b4fc44f 100644
--- a/test/content-security-policy.test.ts
+++ b/test/content-security-policy.test.ts
@@ -581,4 +581,14 @@ describe("getDefaultDirectives", () => {
       contentSecurityPolicy.getDefaultDirectives,
     );
   });
+
+  it("returns a new copy each time", () => {
+    const one = getDefaultDirectives();
+    one["worker-src"] = ["ignored.example"];
+    (one["img-src"] as Array<string>).push("ignored.example");
+
+    const two = getDefaultDirectives();
+    expect(two).not.toHaveProperty("worker-src");
+    expect(two["img-src"]).not.toContain("ignored.example");
+  });
 });