diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
index d586003..5752b01 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-fabddcc580ca40da55be2c2defaa0717bf85a07b"
+    tag: "r-a8541357ef49b3b0096f5e1d2060c700bb6b7e28"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua
new file mode 100644
index 0000000..45b58e6
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua
@@ -0,0 +1,18 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    cspHeader = response:getHeader("content-security-policy")
+    if (cspHeader ~= nil) then 
+        trace:debug("CSP01", "CSP-header set by backend, keep it as is (" .. cspHeader .. ")")
+    else
+        trace:debug("CSP02", "CSP-header not set by backend, we set the default AGOV one (" .. param_csp .. ")")
+        response:setHeader("content-security-policy", param_csp)
+    end
+
+    if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
+        trace:debug("CSP03", "Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
+        response:setHeader("content-security-policy", param_csp)
+    else
+        trace:debug("CSP03", "No report only CSP-header set")
+    end
+end
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
index 929e0d3..c27c76b 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
@@ -451,6 +451,36 @@
             </param-value>
         </init-param>
     </filter>
+    <!-- source: pattern://162d4ee18e469c146df153cc -->
+    <filter>
+        <filter-name>Lua_CSP_Security_Response_Headers</filter-name>
+        <filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
+        <!-- source: pattern://162d4ee18e469c146df153cc -->
+        <init-param>
+            <param-name>Script.Namespace</param-name>
+            <param-value>param_</param-value>
+        </init-param>
+        <!-- source: pattern://162d4ee18e469c146df153cc -->
+        <init-param>
+            <param-name>Script.OutputHeaderFunctionName</param-name>
+            <param-value>outputHeader</param-value>
+        </init-param>
+        <!-- source: pattern://162d4ee18e469c146df153cc -->
+        <init-param>
+            <param-name>Script.Path</param-name>
+            <param-value>/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua</param-value>
+        </init-param>
+        <!-- source: pattern://162d4ee18e469c146df153cc -->
+        <init-param>
+            <param-name>param_csp</param-name>
+            <param-value>default-src 'none'; script-src  'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:; child-src blob:; connect-src 'self' https://eu-api.friendlycaptcha.eu/api/v1/puzzle; img-src 'self'; style-src  'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
+        </init-param>
+        <!-- source: pattern://162d4ee18e469c146df153cc -->
+        <init-param>
+            <param-name>param_report_only_csp</param-name>
+            <param-value>default-src 'none'; script-src  'wasm-unsafe-eval' 'self'; worker-src blob:; child-src blob:; connect-src 'self' https://eu-api.friendlycaptcha.eu/api/v1/puzzle; img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
+        </init-param>
+    </filter>
     <!-- source: pattern://8b8167e5de0e69dedb81cacb, pattern://8b8167e5de0e69dedb81cacb#filters -->
     <filter>
         <filter-name>Lua_IdP-Cors-Filter</filter-name>
@@ -703,13 +733,12 @@
     </filter>
     <!-- source: pattern://0d3511bed6798a78cc3237f6 -->
     <filter>
-        <filter-name>ResponseHeader_Security_Response_Headers</filter-name>
+        <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
         <filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class>
         <!-- source: pattern://0d3511bed6798a78cc3237f6 -->
         <init-param>
             <param-name>DelegateToFrontend</param-name>
             <param-value>
-                Content-Security-Policy-Report-Only:default-src 'none'; script-src  'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:; child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle; img-src 'self'; style-src  'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect; font-src 'self';
                 Cross-Origin-Embedder-Policy:require-corp
                 Cross-Origin-Opener-Policy:same-origin
                 Cross-Origin-Resource-Policy:same-site
@@ -959,9 +988,14 @@
         <filter-name>Lua_SessionTimeoutPostprocessing</filter-name>
         <url-pattern>/AUTH/RECOVERY/*</url-pattern>
     </filter-mapping>
+    <!-- source: pattern://162d4ee18e469c146df153cc -->
+    <filter-mapping>
+        <filter-name>Lua_CSP_Security_Response_Headers</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <!-- source: pattern://0d3511bed6798a78cc3237f6 -->
     <filter-mapping>
-        <filter-name>ResponseHeader_Security_Response_Headers</filter-name>
+        <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
     <!-- source: pattern://cb8c63274fe346280de0ffd5 -->