diff --git a/config.js.dist b/config.js.dist
index caa48eed1..6ef7267c1 100644
--- a/config.js.dist
+++ b/config.js.dist
@@ -32,9 +32,14 @@ module.exports = {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your cryptpad instance.
          */
-        "connect-src 'self' ws://*",
         "child-src 'self' *",
 
+        /*  this allows connections over secure or insecure websockets
+            if you are deploying to production, you'll probably want to remove
+            the ws://* directive, and change '*' to your domain
+         */
+        "connect-src 'self' ws://* wss://*",
+
         // data: is used by codemirror
         "img-src 'self' data:",
     ].join('; '),
@@ -51,7 +56,9 @@ module.exports = {
          *  configured for best effect.
          */
          "child-src 'self' *",
-         "connect-src 'self' ws://*",
+
+        // see the comment above in the 'contentSecurity' section
+         "connect-src 'self' ws://* wss://*",
 
         // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
         "img-src *",