diff --git a/client/web/web.go b/client/web/web.go
index e5f754a4e..f81282af2 100644
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -220,9 +220,12 @@ func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		w.Header().Set("X-Frame-Options", "DENY")
-		w.Header().Set("Content-Security-Policy", "default-src 'self'")
-		w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+		if !s.devMode {
+			w.Header().Set("X-Frame-Options", "DENY")
+			// TODO: use CSP nonce or hash to eliminate need for unsafe-inline
+			w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; img-src * data:")
+			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+		}
 	}
 
 	if strings.HasPrefix(r.URL.Path, "/api/") {