diff --git a/.env.example b/.env.example
index 3519c298924..fc9e51c21ec 100644
--- a/.env.example
+++ b/.env.example
@@ -74,6 +74,8 @@ SESSION_LIFETIME=120
 QUEUE_CONNECTION=sync
 
 SECURITY_HEADER_HSTS_ENABLE=false
+SECURITY_HEADER_CSP_CONNECT_SRC=
+SECURITY_HEADER_SCRIPT_SRC_ALLOW=
 SESSION_SECURE_COOKIE=false
 
 REDIS_HOST=127.0.0.1
diff --git a/config/secure-headers.php b/config/secure-headers.php
index 918e2905cb2..c1e50b8b010 100644
--- a/config/secure-headers.php
+++ b/config/secure-headers.php
@@ -345,9 +345,10 @@
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-		'connect-src' => [
-			'https://lycheeorg.github.io/update.json',
-		],
+		'connect-src' => array_merge(
+			['https://lycheeorg.github.io/update.json'],
+			explode(",", env('SECURITY_HEADER_CSP_CONNECT_SRC', ''))
+		),
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
 		'default-src' => [
@@ -467,10 +468,10 @@
 			// https://www.chromestatus.com/feature/5792234276388864
 			'report-sample' => true,
 
-			'allow' => [
-				'https://www.dropbox.com/static/api/1/dropins.js',
-				// 'url',
-			],
+			'allow' => array_merge(
+				['https://www.dropbox.com/static/api/1/dropins.js'],
+				explode(",", env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', ''))
+			),
 
 			'schemes' => [
 				// 'data:',