diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
index 7129372..867ee0f 100644
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@@ -17,12 +17,12 @@ export default defineEventHandler((event) => {
     if (!path.startsWith('/oidc/')) {
       headers['Content-Security-Policy'] = [
         "default-src 'self'",
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
         "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
         "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
         "font-src 'self' https://fonts.gstatic.com",
-        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
-        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
+        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.app",
         "base-uri 'self'",
         "form-action 'self'",
       ].join('; ')
diff --git a/tests/server/middleware/security-headers.test.js b/tests/server/middleware/security-headers.test.js
index e6b50b1..acd3a35 100644
--- a/tests/server/middleware/security-headers.test.js
+++ b/tests/server/middleware/security-headers.test.js
@@ -86,7 +86,7 @@ describe('security-headers middleware', () => {
       const csp = event._testSetHeaders['content-security-policy']
       expect(csp).toContain('myposjs.helcim.com')
       expect(csp).toContain('api.helcim.com')
-      expect(csp).toContain('secure.helcim.com')
+      expect(csp).toContain('secure.helcim.app')
     })
 
     it('includes Cloudinary sources in CSP', () => {