diff --git a/app.ts b/app.ts
index 182fc8a5..f3e560ee 100644
--- a/app.ts
+++ b/app.ts
@@ -41,6 +41,7 @@ export const appFactory = async () => {
     app.use(logger);
     app.use(boundaryCheck);
     app.use(
+        "/api/*",
         secureHeaders({
             contentSecurityPolicy: {
                 // We will not be returning HTML, so everything should be blocked