diff --git a/config/packages/nelmio_security.yaml b/config/packages/nelmio_security.yaml
index f9b5cd32..24e0a50d 100644
--- a/config/packages/nelmio_security.yaml
+++ b/config/packages/nelmio_security.yaml
@@ -29,3 +29,32 @@ nelmio_security:
         policies:
             - 'no-referrer'
             - 'strict-origin-when-cross-origin'
+
+    csp:
+        enabled: true
+        hosts: [ ]
+        content_types: [ ]
+        enforce:
+            level1_fallback: false
+            browser_adaptive:
+                enabled: false
+            report-uri: '%router.request_context.base_url%/csp/report'
+            default-src:
+                - 'self'
+            img-src:
+                - '*'
+                - 'data:'
+            style-src:
+                - 'self'
+                - 'unsafe-inline'
+                - 'data:'
+            script-src:
+                - 'self'
+            object-src:
+                - 'self'
+                - 'data:'
+            frame-src:
+                - 'self'
+                - 'data:'
+            block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
+            # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
diff --git a/config/routes.yaml b/config/routes.yaml
index a4c96ac6..7d495d6d 100644
--- a/config/routes.yaml
+++ b/config/routes.yaml
@@ -8,6 +8,12 @@ scan_qr:
     path: /scan/{type}/{id}
     controller: App\Controller\ScanController:scanQRCode
 
+csp_report:
+    path: /csp/report
+    methods: [POST]
+    defaults: { _controller: nelmio_security.csp_reporter_controller::indexAction }
+
+# Must be last as it matches everything
 redirector:
     path: /{url}
     requirements: