diff --git a/app/app.js b/app/app.js
index 83b9ad321..84da383bb 100644
--- a/app/app.js
+++ b/app/app.js
@@ -27,6 +27,13 @@ const state = {
 
 let probeId;
 const app = express();
+
+// Set the CSP header so that external media cannot be displayed in the forms.
+app.use((_req, res, next) => {
+  res.setHeader('Content-Security-Policy', "default-src 'self'");
+  next();
+});
+
 app.use(compression());
 app.use(express.json({ limit: config.get('server.bodyLimit') }));
 app.use(express.urlencoded({ extended: true }));
@@ -59,12 +66,6 @@ app.use((_req, res, next) => {
 
 app.use(config.get('server.basePath') + config.get('server.apiPath'), rateLimiter);
 
-// Set the CSP header so that external media cannot be displayed in the forms.
-app.use((_req, res, next) => {
-  res.setHeader('Content-Security-Policy', "default-src 'self'");
-  next();
-});
-
 // Frontend configuration endpoint
 apiRouter.use('/config', (_req, res, next) => {
   try {