diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index 4964cf5ac..2e530e6df 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -240,6 +240,12 @@ SERVER_EMAIL = "root@get.gov"
 # as Host header may contain a proxy rather than the actual client
 USE_X_FORWARDED_HOST = True
 
+# Content-security policy header configuration
+CSP_DEFAULT_SRC = ["'none'"]
+CSP_STYLE_SRC = ["'self'"]
+CSP_SCRIPT_SRC = ["'self'"]
+CSP_IMG_SRC = ["'self'"]
+
 # endregion
 # region: Internationalisation----------------------------------------------###
 
diff --git a/src/zap.conf b/src/zap.conf
index f4e88ff07..4fef3aff0 100644
--- a/src/zap.conf
+++ b/src/zap.conf
@@ -28,7 +28,7 @@
 10035	FAIL	(Strict-Transport-Security Header - Passive/beta)
 10036	WARN	(HTTP Server Response Header - Passive/beta)
 10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
-10038	FAIL	(Content Security Policy (CSP) Header Not Set - Passive/beta)
+10038	WARN	(Content Security Policy (CSP) Header Not Set - Passive/beta)
 10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
 10040	FAIL	(Secure Pages Include Mixed Content - Passive/release)
 10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)