diff --git a/ee/app/controllers/concerns/arkose/content_security_policy.rb b/ee/app/controllers/concerns/arkose/content_security_policy.rb
index f9b795073d764ea85d553ca32b3d8ed4707ecfc0..fe139acc1695842e58d043c81e6ac0b2974aeebc 100644
--- a/ee/app/controllers/concerns/arkose/content_security_policy.rb
+++ b/ee/app/controllers/concerns/arkose/content_security_policy.rb
@@ -15,6 +15,10 @@ module ContentSecurityPolicy
         default_frame_src = policy.directives['frame-src'] || policy.directives['default-src']
         frame_src_values = Array.wrap(default_frame_src) | ['https://*.arkoselabs.com']
         policy.frame_src(*frame_src_values)
+
+        default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+        connect_src_values = Array.wrap(default_connect_src) | ['https://*.arkoselabs.com']
+        policy.connect_src(*connect_src_values)
       end
     end
   end
diff --git a/ee/spec/features/users/arkose_content_security_policy_spec.rb b/ee/spec/features/users/arkose_content_security_policy_spec.rb
index 519f7ca4afb70a2c79821e43e35808aad9720466..9b4941e82493df4e1b6fa32f3f76a515a7611fa9 100644
--- a/ee/spec/features/users/arkose_content_security_policy_spec.rb
+++ b/ee/spec/features/users/arkose_content_security_policy_spec.rb
@@ -6,10 +6,21 @@
   include ContentSecurityPolicyHelpers
 
   shared_examples 'configures Content Security Policy headers correctly' do |controller_class|
-    it 'adds ArkoseLabs URL to Content Security Policy headers' do
+    it 'adds Arkose host value to the correct Content Security Policy directives', :aggregate_failures do
       visit page_path
 
-      expect(response_headers['Content-Security-Policy']).to include('https://*.arkoselabs.com')
+      arkose_url = 'https://*.arkoselabs.com'
+      csp = response_headers['Content-Security-Policy']
+      directives = csp.split(';').map(&:strip)
+      script_src = directives.find { |d| /^script-src/.match d }
+      frame_src = directives.find { |d| /^frame-src/.match d }
+      connect_src = directives.find { |d| /^connect-src/.match d }
+      style_src = directives.find { |d| /^style-src/.match d }
+
+      expect(script_src).to include(arkose_url)
+      expect(frame_src).to include(arkose_url)
+      expect(connect_src).to include(arkose_url)
+      expect(style_src).to include(%q(unsafe-inline))
     end
 
     context 'when there is no global CSP config' do