diff --git a/apps/demo/netlify.toml b/apps/demo/netlify.toml
index ffe32209c3..b27c79e7e9 100644
--- a/apps/demo/netlify.toml
+++ b/apps/demo/netlify.toml
@@ -41,3 +41,4 @@ for = "/*"
 [headers.values]
 # see a list of allowed values here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
 access-control-allow-origin = "*"
+content-security-policy = "default-src 'self' https://cdpn.io; frame-ancestors 'self' https://cdpn.io; script-src 'self' 'unsafe-inline';"