diff --git a/atst/app.py b/atst/app.py
index 3aed098f..22acbb31 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -127,6 +127,8 @@ def make_flask_callbacks(app):
 
 
 def set_default_headers(app):  # pragma: no cover
+    static_url = app.config.get("STATIC_URL")
+
     @app.after_request
     def _set_security_headers(response):
         response.headers[
@@ -143,7 +145,7 @@ def set_default_headers(app):  # pragma: no cover
         else:
             response.headers[
                 "Content-Security-Policy"
-            ] = "default-src 'self' 'unsafe-eval' 'unsafe-inline'"
+            ] = f"default-src 'self' 'unsafe-eval' 'unsafe-inline' {static_url}"
 
         return response