diff --git a/src/views/app.html b/src/views/app.html
index c0d8f2d42..6cf0d67ee 100644
--- a/src/views/app.html
+++ b/src/views/app.html
@@ -624,14 +624,14 @@
             <fieldset>
               <form role="form" name="securityForm" ng-submit="security.submit()" autocomplete="off">
                 <div class="form-group">
-                  <label class="control-label" style="width: 100%">Specify robots.txt file content  <sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#indexing-by-search-engines-robotstxt" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> <a href="" class="pull-right" style="font-weight: normal;" ng-click="security.robotsTxt = ROBOTS_DISABLE_INDEXING_TEMPLATE">Disable indexing</a></label>
+                  <label class="control-label" style="width: 100%">Robots.txt <sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#indexing-by-search-engines-robotstxt" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> <a href="" class="pull-right" style="font-weight: normal;" ng-click="security.robotsTxt = ROBOTS_DISABLE_INDEXING_TEMPLATE">Disable indexing</a></label>
                   <textarea ng-model="security.robotsTxt" placeholder="Leave empty to allow all bots to index this app" class="form-control" rows="4"></textarea>
                 </div>
 
                 <div class="form-group">
-                  <label class="control-label" style="width: 100%">Content Embedding</label>
-                  <p>Provide a space-separated list of domains that can embed this app</p>
-                  <input type="text" class="form-control" ng-model="security.frameAncestors" placeholder="example.com *.example.com"></input>
+                  <label class="control-label" style="width: 100%">Content Security Policy<sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#custom-csp" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> </label>
+                  <p>Setting this option will override any CSP headers sent by the app itself</p>
+                  <textarea ng-model="security.csp" placeholder="default-src 'self'; frame-ancestors 'none';" class="form-control" rows="2"></textarea>
                 </div>
 
                 <input class="ng-hide" type="submit" ng-disabled="securityForm.$invalid || security.busy"/>
diff --git a/src/views/app.js b/src/views/app.js
index 1b14ebf38..d55bc783e 100644
--- a/src/views/app.js
+++ b/src/views/app.js
@@ -494,24 +494,21 @@ angular.module('Application').controller('AppController', ['$scope', '$location'
         success: false,
 
         robotsTxt: '',
-        frameAncestors: '',
+        csp: '',
 
         show: function () {
             $scope.security.error = {};
             $scope.security.robotsTxt = $scope.app.reverseProxyConfig.robotsTxt || '';
-            $scope.security.frameAncestors = ($scope.app.reverseProxyConfig.frameAncestors || []).join(' ');
+            $scope.security.csp = $scope.app.reverseProxyConfig.csp || '';
         },
 
         submit: function () {
             $scope.security.busy = true;
             $scope.security.error = {};
 
-            var fa = $scope.security.frameAncestors.split(' ').map(function (t) { return t.trim(); }).filter(function (t) { return !!t; });
-
             var reverseProxyConfig = {
-                robotsTxt: $scope.security.robotsTxt,
-                frameAncestors: fa,
-                hideHeaders: []
+                robotsTxt: $scope.security.robotsTxt || null, // empty string resets
+                csp: $scope.security.csp || null // empty string resets
             };
 
             Client.configureApp($scope.app.id, 'reverse_proxy', reverseProxyConfig, function (error) {