diff --git a/.zap/rules.tsv b/.zap/rules.tsv
index 1d423e68..cdddf0ac 100644
--- a/.zap/rules.tsv
+++ b/.zap/rules.tsv
@@ -37,7 +37,7 @@
 10050	WARN	(Retrieved from Cache)
 10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
 10054	WARN	(Cookie without SameSite Attribute)
-10055	WARN	(CSP)
+10055	IGNORE	(CSP) We set CSP in both UI (with *) and backend (no *), unfortunately the UI needs to use * in case it is deployed separately
 10056	WARN	(X-Debug-Token Information Leak)
 10057	WARN	(Username Hash Found)
 10061	WARN	(X-AspNet-Version Response Header)
@@ -56,7 +56,7 @@
 50001	WARN	(Script Passive Scan Rules)
 90001	WARN	(Insecure JSF ViewState)
 90002	WARN	(Java Serialization Object)
-90003	IGNORE	(Sub Resource Integrity Attribute Missing)  Google Fonts API return dynamic stylesheets depending on OS/Browser and it is not possible to use static identity hashes
+90003	WARN	(Sub Resource Integrity Attribute Missing)
 90011	WARN	(Charset Mismatch)
 90022	WARN	(Application Error Disclosure)
 90030	WARN	(WSDL File Detection)
diff --git a/Makefile b/Makefile
index 5ff15212..3548fae5 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ CRICTL := $(TOOLSDIR)/bin/crictl
 CRICTL_VERSION := v1.26.1
 ACTION_VALIDATOR := $(TOOLSDIR)/bin/action-validator
 ACTION_VALIDATOR_VERSION := v0.2.1
-ZUI_VERSION := commit-2f94cc3
+ZUI_VERSION := commit-e0d4417
 STACKER := $(TOOLSDIR)/bin/stacker
 BATS := $(TOOLSDIR)/bin/bats
 TESTDATA := $(TOP_LEVEL)/test/data
diff --git a/pkg/extensions/extension_ui.go b/pkg/extensions/extension_ui.go
index 54cf4b00..7fffe6b3 100644
--- a/pkg/extensions/extension_ui.go
+++ b/pkg/extensions/extension_ui.go
@@ -7,6 +7,7 @@ import (
 	"embed"
 	"io/fs"
 	"net/http"
+	"strings"
 
 	"github.com/gorilla/mux"
 
@@ -40,6 +41,18 @@ func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
 
+		cspDirectives := []string{
+			"default-src 'none'",
+			"script-src 'self' 'unsafe-inline'",
+			"style-src 'self' 'unsafe-inline'",
+			"font-src 'self'",
+			"connect-src 'self'",
+			"img-src 'self'",
+			"manifest-src 'self'",
+			"base-uri 'self'",
+		}
+		w.Header().Set("Content-Security-Policy", strings.Join(cspDirectives, "; "))
+
 		h.ServeHTTP(w, r)
 	}
 }