diff --git a/docker-unified/hbs/nginx-config.hbs b/docker-unified/hbs/nginx-config.hbs
index 5a69352c4..382913796 100644
--- a/docker-unified/hbs/nginx-config.hbs
+++ b/docker-unified/hbs/nginx-config.hbs
@@ -57,7 +57,7 @@ server {
     include /etc/nginx/security-headers-ssl.conf;
 {{/if}}
     include /etc/nginx/security-headers.conf;
-    add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;"}}}";
+    add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory; object-src 'self' blob:;"}}}";
     add_header X-Frame-Options SAMEORIGIN;
     add_header X-Robots-Tag "noindex, nofollow";
   }
diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs
index 0dcfe6ab7..36f82ea4f 100644
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@@ -81,7 +81,7 @@ public class Configuration
         "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
         "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
         "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
-        "https://2fa.directory; object-src 'self' blob:;";
+        "https://api.2fa.directory; object-src 'self' blob:;";
 
     [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
         "app live sync.")]