diff --git a/app.py b/app.py
index 38ebe7c..3d5891a 100644
--- a/app.py
+++ b/app.py
@@ -74,14 +74,15 @@ limiter = Limiter(app, key_func=rate_limit_key)
 
 @app.after_request
 def install_security_headers(resp):
-    csp = "default-src 'none'; img-src 'self' https:; upgrade-insecure-requests; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'"
+    csp = "default-src 'none'; img-src 'self' https:; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'"
     if 'CSP_REPORT_URI' in app.config:
         csp += "; report-uri " + app.config.get('CSP_REPORT_URI')
-    resp.headers.set('Content-Security-Policy', csp)
 
     if app.config.get('HTTPS'):
         resp.headers.set('strict-transport-security', 'max-age={}'.format(60*60*24*365))
+        csp += "; upgrade-insecure-requests"
 
+    resp.headers.set('Content-Security-Policy', csp)
     resp.headers.set('referrer-policy', 'no-referrer')
     resp.headers.set('x-content-type-options', 'nosniff')
     resp.headers.set('x-frame-options', 'DENY')