diff --git a/fec/fec/middleware.py b/fec/fec/middleware.py
index 5772edd2f3..1e04a20c07 100644
--- a/fec/fec/middleware.py
+++ b/fec/fec/middleware.py
@@ -14,13 +14,13 @@ def process_response(self, request, response):
         content_security_policy = {
             "default-src": "'self' *.fec.gov *.app.cloud.gov https://www.google-analytics.com",
             "frame-src": "'self' https://www.google.com/recaptcha/",
-            "img-src": "'self' data: http://*.fastly.net https://www.google-analytics.com",
+            "img-src": "'self' data: https://*.ssl.fastly.net https://www.google-analytics.com *.app.cloud.gov",
             "script-src": "'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov",
             "style-src": "'self' data: 'unsafe-inline'",
             "object-src": "'none'",
             "report-uri": REPORT_URI,
         }
-        if settings.FEC_CMS_ENVIRONMENT == settings.ENVIRONMENTS.get('local'):
+        if settings.FEC_CMS_ENVIRONMENT == 'LOCAL':
             content_security_policy["default-src"] += " localhost:* http://127.0.0.1:*"
 
         response["Content-Security-Policy"] = "".join(
diff --git a/fec/fec/settings/base.py b/fec/fec/settings/base.py
index 16c70e3b4b..b434958de0 100644
--- a/fec/fec/settings/base.py
+++ b/fec/fec/settings/base.py
@@ -123,7 +123,7 @@
     'audit_log.middleware.UserLoggingMiddleware',
 )
 
-CSRF_TRUSTED_ORIGINS = ["*.fec.gov", "*.app.cloud.gov"]
+CSRF_TRUSTED_ORIGINS = ["fec.gov", "app.cloud.gov"]
 if FEC_CMS_ENVIRONMENT == 'LOCAL':
     CSRF_TRUSTED_ORIGINS.extend(["127.0.0.1:5000"])