diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee3c28858..8e638bdd8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Quote posts are now considered as part of the same thread as the post they are quoting
 - Simplified HTTP signature processing
 - Rich media will now hard-exit after 5 seconds, to prevent timeline hangs
+- HTTP Content Security Policy is now far more strict to prevent any potential XSS/CSS leakages
 
 ### Fixed 
 - /api/v1/accounts/lookup will now respect restrict\_unauthenticated
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 5f0b775be..b1f1ada94 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -106,20 +106,15 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     connect_src =
       if Config.get([:media_proxy, :enabled]) do
         sources = build_csp_multimedia_source_list()
-        ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
+        ["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources]
       else
-        ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
+        ["connect-src 'self' ", static_url, ?\s, websocket_url]
       end
 
-    style_src = "style-src 'self' 'unsafe-inline'"
-    font_src = "font-src 'self' data:"
+    style_src = "style-src 'self' '#{nonce_tag}'"
+    font_src = "font-src 'self'"
 
-    script_src =
-      if Config.get(:env) == :dev do
-        "script-src 'self' 'unsafe-eval' '#{nonce_tag}'"
-      else
-        "script-src 'self' '#{nonce_tag}'"
-      end
+    script_src = "script-src 'self' '#{nonce_tag}'"
 
     report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
     insecure = if scheme == "https", do: "upgrade-insecure-requests"
diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
index d6d841078..d88d4624f 100644
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -140,7 +140,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   defp assert_connect_src(conn, url) do
     conn = get(conn, "/api/v1/instance")
     [csp] = Conn.get_resp_header(conn, "content-security-policy")
-    assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+    assert csp =~ ~r/connect-src 'self' [^;]+ #{url}/
   end
 
   test "it does not send CSP headers when disabled", %{conn: conn} do