diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
index 41445f1ae9..b7d20c10c1 100644
--- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
@@ -2,6 +2,7 @@
 location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
     internal;
     include /etc/nginx/zulip-include/headers;
+    add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
 
     # The components of this path are originally double-URI-escaped
     # (see zerver/view/upload.py).  "location" matches are on