diff --git a/app-config.yaml b/app-config.yaml
index 9048660..d77c8f0 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -19,7 +19,7 @@ backend:
     # host: 127.0.0.1
   csp:
     connect-src: ["'self'", 'http:', 'https:']
-    img-src: ["'self'", 'data:', 'https://avatars.githubusercontent.com']
+    img-src: ["'self'", 'data:', 'https:', 'https:']
     # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
     # Default Helmet Content-Security-Policy values can be removed by setting the key to false
   cors: