diff --git a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
index 6980f250..8962c07e 100644
--- a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
@@ -69,20 +69,20 @@
 
     var envelopeKey = ViewData["EnvelopeKey"] as string;
 
-    <script nonce="@nonce">
-        var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
-        var byteCharacters = atob(base64String);
-        var byteNumbers = new Array(byteCharacters.length);
-        for (var i = 0; i < byteCharacters.length; i++) {
-            byteNumbers[i] = byteCharacters.charCodeAt(i);
-        }
-        var byteArray = new Uint8Array(byteNumbers);
-        var documentArrayBuffer = byteArray.buffer;
+<script nonce="@nonce">
+    var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
+    var byteCharacters = atob(base64String);
+    var byteNumbers = new Array(byteCharacters.length);
+    for (var i = 0; i < byteCharacters.length; i++) {
+        byteNumbers[i] = byteCharacters.charCodeAt(i);
+    }
+    var byteArray = new Uint8Array(byteNumbers);
+    var documentArrayBuffer = byteArray.buffer;
 
-        document.addEventListener("DOMContentLoaded", async () => {
-            const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", @Html.Raw(envelopeReceiverJson.TrySanitize(_sanitizer)), documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
-            await app.init();
-        })
-    </script>
+    document.addEventListener("DOMContentLoaded", async () => {
+        const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", @Html.Raw(envelopeReceiverJson.TrySanitize(_sanitizer)), documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
+        await app.init();
+    })
+</script>
 }
 <div id='app'></div>
\ No newline at end of file
diff --git a/EnvelopeGenerator.Web/appsettings.json b/EnvelopeGenerator.Web/appsettings.json
index 421e1c0d..d8779239 100644
--- a/EnvelopeGenerator.Web/appsettings.json
+++ b/EnvelopeGenerator.Web/appsettings.json
@@ -19,17 +19,18 @@
   },
   "PSPDFKitLicenseKey": null,
   /* The first format parameter {0} will be replaced by the nonce value. */
-  "TestCSP": false,
+  "TestCSP": true,
   "Content-Security-Policy": [
     "default-src 'self'",
-    "script-src 'self' 'nonce-{0}'",
-    "style-src 'self' 'nonce-{0}'",
-    "img-src 'self' data: https:",
+    "script-src 'self' 'nonce-{0}' 'unsafe-inline' 'unsafe-eval' blob: data:",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https: blob:",
     "font-src 'self'",
-    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:*",
+    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:* blob:",
     "frame-src 'self'",
     "media-src 'self'",
-    "object-src 'self'"
+    "object-src 'self'",
+    "worker-src 'self' blob: data:"
   ],
   "AdminPassword": "dd",
   "AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],