diff --git a/csp-headers.conf b/csp-headers.conf
index ae509ce6b8..fcd869a3ec 100644
--- a/csp-headers.conf
+++ b/csp-headers.conf
@@ -1,3 +1,5 @@
 # Included from each location block that sets Cache-Control (nginx does not inherit
 # add_header from http/server when a location defines its own add_header).
-add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com  https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;
+# connect-src must allow cross-origin API when the FE is on another Isaac host (e.g. ALB shadow → www.staging API).
+# https://*.isaaccomputerscience.org matches only one subdomain label; multi-label staging hosts are listed explicitly.
+add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com  https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' https://*.isaaccomputerscience.org https://www.staging.development.isaaccomputerscience.org https://staging.development.isaaccomputerscience.org https://isaac-stack-alb-test.development.isaaccomputerscience.org wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;