diff --git a/backend/src/server/plugins/serve-ui.ts b/backend/src/server/plugins/serve-ui.ts
index 7b56a957b5..2c69f14ce9 100644
--- a/backend/src/server/plugins/serve-ui.ts
+++ b/backend/src/server/plugins/serve-ui.ts
@@ -41,15 +41,15 @@ export const registerServeUI = async (
       // Define window.__toCdnUrl for Vite's experimental.renderBuiltUrl runtime support
       // This function is called by dynamically imported chunks to resolve CDN URLs
       const js = `
-window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});
-window.__toCdnUrl = function(filename) {
-  var cdnHost = window.__INFISICAL_RUNTIME_ENV__.CDN_HOST || "";
-  if (cdnHost && filename.startsWith("assets/")) {
-    return cdnHost + "/" + filename;
-  }
-  return "/" + filename;
-};
-`.trim();
+        window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});
+        window.__toCdnUrl = function(filename) {
+          var cdnHost = window.__INFISICAL_RUNTIME_ENV__.CDN_HOST || "";
+          if (cdnHost && filename.startsWith("assets/")) {
+            return cdnHost + "/" + filename;
+          }
+          return "/" + filename;
+        };
+      `.trim();
       return res.send(js);
     }
   });
@@ -67,11 +67,9 @@ window.__toCdnUrl = function(filename) {
         .replace(/src="\/assets\//g, `src="${cdnHost}/assets/`)
         .replace(/href="\/assets\//g, `href="${cdnHost}/assets/`);
 
-      const cspDirectives = ["script-src", "style-src", "font-src", "connect-src"];
-      for (const directive of cspDirectives) {
-        const regex = new RE2(`(${directive}\\s+'self')`, "g");
-        indexHtml = indexHtml.replace(regex, `$1 ${cdnHost}`);
-      }
+      indexHtml = indexHtml.replace(new RE2(`(__INFISICAL_CDN_HOST__)`, "g"), cdnHost);
+    } else {
+      indexHtml = indexHtml.replace(new RE2(`(__INFISICAL_CDN_HOST__)`, "g"), "");
     }
 
     await server.register(staticServe, {
diff --git a/frontend/index.html b/frontend/index.html
index b1dca0a761..42b5c04b67 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -8,15 +8,15 @@
       http-equiv="Content-Security-Policy"
       content="
     default-src 'self'; 
-    connect-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net https://*.posthog.com http://127.0.0.1:* https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
-    script-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net https://*.posthog.com https://js.stripe.com https://api.stripe.com https://widget.intercom.io https://js.intercomcdn.com https://hcaptcha.com https://*.hcaptcha.com 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
-    style-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; 
+    connect-src 'self' __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net https://*.posthog.com http://127.0.0.1:* https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
+    script-src 'self' __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net https://*.posthog.com https://js.stripe.com https://api.stripe.com https://widget.intercom.io https://js.intercomcdn.com https://hcaptcha.com https://*.hcaptcha.com 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
+    style-src 'self' __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; 
     child-src https://api.stripe.com; 
     frame-src https://js.stripe.com/ https://api.stripe.com https://www.youtube.com/ https://hcaptcha.com https://*.hcaptcha.com; 
-    connect-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com https://api.pwnedpasswords.com http://127.0.0.1:* https://hcaptcha.com https://*.hcaptcha.com; 
+    connect-src 'self' __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com https://api.pwnedpasswords.com http://127.0.0.1:* https://hcaptcha.com https://*.hcaptcha.com; 
     img-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net https://static.intercomassets.com https://js.intercomcdn.com https://downloads.intercomcdn.com https://*.stripe.com https://i.ytimg.com/ data:; 
-    media-src https://d1zwf0dwl0k2ky.cloudfront.net https://js.intercomcdn.com; 
-    font-src 'self' https://d1zwf0dwl0k2ky.cloudfront.net https://fonts.intercomcdn.com/  https://fonts.gstatic.com; 
+    media-src __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net https://js.intercomcdn.com; 
+    font-src 'self' __INFISICAL_CDN_HOST__ https://d1zwf0dwl0k2ky.cloudfront.net https://fonts.intercomcdn.com/  https://fonts.gstatic.com; 
   "
     />
     <title>Infisical</title>