diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf
index 32464a1..c753c04 100644
--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@@ -4,6 +4,7 @@
 #  default           "";
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
+%set %%webDomain = %%authWebName.split('.',1)[1]
 
 server {
   listen 80;
@@ -40,6 +41,8 @@ server {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+    fastcgi_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' http://*.%%webDomain https://*.%%webDomain; object-src 'none'";
 
   }