diff --git a/src/apps.js b/src/apps.js
index 6a8b4a0cb..ebf09e92e 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -441,8 +441,8 @@ function validateCsp(csp) {
     if (csp === null) return null;
 
     if (csp.length > 4096) return new BoxError(BoxError.BAD_FIELD, 'CSP must be less than 4096');
-
     if (csp.includes('"')) return new BoxError(BoxError.BAD_FIELD, 'CSP cannot contains double quotes');
+    if (csp.includes('\n')) return new BoxError(BoxError.BAD_FIELD, 'CSP cannot contain newlines');
 
     return null;
 }