diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index f3534be..b30e91d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -89,7 +89,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
-        add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
+        add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
         add_header X-Frame-Options "DENY";
 
@@ -101,7 +101,7 @@ http {
             proxy_hide_header Content-Security-Policy;
             proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
-            add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
+            add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
             # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
             add_header X-Frame-Options "DENY";
             add_header X-Robots-Tag "none";
@@ -129,7 +129,7 @@ http {
         root /usr/share/webapps/element;
 
         include snippets/security-headers.conf;
-        add_header Content-Security-Policy "frame-ancestors 'self'; block-all-mixed-content";
+        add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-Robots-Tag "none";