diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
index 7f6480cca..efb36c3f6 100644
--- a/files/nginx/odk.conf.template
+++ b/files/nginx/odk.conf.template
@@ -183,7 +183,7 @@ server {
     try_files $uri $uri/ /index.html;
 
     # Use 'none' per directive instead of falling back to default-src to make CSP violation reports more specific
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data: https://translate.google.com; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src data: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
 
     include /usr/share/odk/nginx/common-headers.conf;
   }
diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js
index 0595ee5a9..07e9a204a 100644
--- a/test/nginx/test-nginx.js
+++ b/test/nginx/test-nginx.js
@@ -16,18 +16,20 @@ const asArray = val => {
   if (Array.isArray(val)) return val;
   return [val];
 };
-const allowGoogleTranslate = ({ 'connect-src':connectSrc, 'img-src':imgSrc, ...others }) => ({
-  ...others,
-  'connect-src': [
-    ...asArray(connectSrc),
+const allowGoogleTranslate = ({ 'connect-src':connectSrc, 'img-src':imgSrc, ...others }) => {
+  connectSrc = asArray(connectSrc);
+  if(!connectSrc.includes('https:')) connectSrc.push(
     'https://translate.google.com',
     'https://translate.googleapis.com',
-  ],
-  'img-src': [
-    ...asArray(imgSrc),
+  );
+
+  imgSrc = asArray(imgSrc);
+  if(!imgSrc.includes('https:')) imgSrc.push(
     'https://translate.google.com',
-  ],
-});
+  );
+
+  return { ...others, 'connect-src':connectSrc, 'img-src':imgSrc };
+};
 
 const contentSecurityPolicies = {
   'backend-unmodified': {
@@ -43,7 +45,10 @@ const contentSecurityPolicies = {
       self,
       'https://getodk.github.io/central/news.html',
     ],
-    'img-src':        '* data:',
+    'img-src': [
+      'data:',
+      'https:',
+    ],
     'manifest-src':   none,
     'media-src':      none,
     'object-src':     none,