diff --git a/blog/settings.py b/blog/settings.py
index 870c332..5e2d8ef 100644
--- a/blog/settings.py
+++ b/blog/settings.py
@@ -227,3 +227,5 @@ CSP_CONNECT_SRC = ("'self'", https_goatcounter_domain)
 CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
 CSP_MANIFEST_SRC = ("'self'",)
 CSP_FONT_SRC = ("'self'",)
+CSP_BASE_URI = ("'none'",)
+CSP_FORM_ACTION = ("'self'",)