diff --git a/assets/.htaccess.ejs b/assets/.htaccess.ejs
index bc8e8cd20e3f3bc19acf9e6aead6695ad20273e2..321058f0549f4bb0a6533ab612b6bd4f5472302e 100644
--- a/assets/.htaccess.ejs
+++ b/assets/.htaccess.ejs
@@ -4,7 +4,7 @@ DirectoryIndex <%= geturl('vpu-signature.html') %>
 </FilesMatch>
 
 Header set Cache-Control "must-revalidate, max-age=60"
-Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org; img-src *"
+Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org www.handy-signatur.at <%= pdfAsQualifiedlySigningServer %>; img-src *"
 
 # Apache adds a "-gzip" suffix to the etag when it uses gzip but doesn't
 # take that into account when receiving requests.
diff --git a/rollup.config.js b/rollup.config.js
index 4d5c9ce29a121fc89605dc7f70f0c7f42b84f13c..d7e0f2adca33b65e31f32d6c130cf2761aa74c27 100644
--- a/rollup.config.js
+++ b/rollup.config.js
@@ -33,6 +33,7 @@ let basePath = '';
 let entryPointURL = '';
 let keyCloakServer = '';
 let keyCloakBaseURL = '';
+let pdfAsQualifiedlySigningServer = 'sig-dev.tugraz.at';
 let matomoSiteId = 131;
 let useTerser = true;
 let useBabel = true;
@@ -62,6 +63,7 @@ switch (build) {
     entryPointURL = 'https://signature.tugraz.at';
     keyCloakServer = 'auth.tugraz.at';
     keyCloakBaseURL = 'https://' + keyCloakServer + '/auth';
+    pdfAsQualifiedlySigningServer = 'sig.tugraz.at';
     matomoSiteId = 130;
     break;
   case 'test':
@@ -191,6 +193,7 @@ export default {
             entryPointURL: entryPointURL,
             keyCloakServer: keyCloakServer,
             keyCloakBaseURL: keyCloakBaseURL,
+            pdfAsQualifiedlySigningServer: pdfAsQualifiedlySigningServer,
             environment: build,
             matomoSiteId: matomoSiteId,
             buildinfo: getBuildInfo()
@@ -264,7 +267,7 @@ export default {
           historyApiFallback: basePath + pkg.name + '.html',
           https: USE_HTTPS ? generateTLSConfig() : false,
           headers: {
-              'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org; img-src *`
+              'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org www.handy-signatur.at ${pdfAsQualifiedlySigningServer} ; img-src *`
           },
         }) : false
     ]