diff --git a/apps/login/constants/csp.js b/apps/login/constants/csp.js
index 5cc1e254f31..ac1b738cac2 100644
--- a/apps/login/constants/csp.js
+++ b/apps/login/constants/csp.js
@@ -1,2 +1,6 @@
+const ZITADEL_DOMAIN = process.env.ZITADEL_API_URL 
+  ? new URL(process.env.ZITADEL_API_URL).hostname 
+  : '*.zitadel.cloud';
+
 export const DEFAULT_CSP =
-  "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; connect-src 'self'; child-src; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; img-src 'self' https://vercel.com;";
+  `default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; connect-src 'self'; child-src; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; img-src 'self' https://vercel.com https://${ZITADEL_DOMAIN};`;