diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
index a1d653a..afa3e81 100644
--- a/modules/profile/templates/contentorigin/site.nginx.erb
+++ b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -19,6 +19,9 @@ server {
     expires 30d;
 
     add_header Access-Control-Allow-Origin "*";
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
index 4d16781..227ed1b 100644
--- a/modules/profile/templates/gruntjscom/site.nginx.erb
+++ b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -16,6 +16,9 @@ server {
     proxy_pass http://localhost:<%= @backend_port %>;
     proxy_redirect off;
     proxy_buffering off;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
index 633e10e..668cea4 100644
--- a/modules/profile/templates/miscweb/site.nginx.erb
+++ b/modules/profile/templates/miscweb/site.nginx.erb
@@ -51,6 +51,12 @@ server {
     include              /etc/nginx/fastcgi_params;
   }
 <%- end -%>
+
+  location / {
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+  }
 }
 
 # vim: ts=2 sw=2 et
diff --git a/modules/profile/templates/wordpress/base/default-tls.nginx.erb b/modules/profile/templates/wordpress/base/default-tls.nginx.erb
index c6cf55b..595a7ee 100644
--- a/modules/profile/templates/wordpress/base/default-tls.nginx.erb
+++ b/modules/profile/templates/wordpress/base/default-tls.nginx.erb
@@ -20,5 +20,8 @@ server {
 
   location / {
     deny all;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 }