diff --git a/app/__init__.py b/app/__init__.py
index 8cf3c7147..c45ad9a84 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -441,6 +441,7 @@ def useful_headers_after_request(response):
     response.headers.add('Content-Security-Policy', (
         "default-src 'self' 'unsafe-inline';"
         "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
+        "connect-src 'self' *.google-analytics.com;"
         "object-src 'self';"
         "font-src 'self' data:;"
         "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk {} data:;"
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index 130beac20..7e06b3961 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -10,6 +10,7 @@ def test_owasp_useful_headers_set(client, mocker):
     assert response.headers['Content-Security-Policy'] == (
         "default-src 'self' 'unsafe-inline';"
         "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
+        "connect-src 'self' *.google-analytics.com;"
         "object-src 'self';"
         "font-src 'self' data:;"
         "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk static-logos.test.com data:;"