diff --git a/app/services/image_upload_presigned_url_generator.rb b/app/services/image_upload_presigned_url_generator.rb
index e8c37b58974..c3c1d4a8086 100644
--- a/app/services/image_upload_presigned_url_generator.rb
+++ b/app/services/image_upload_presigned_url_generator.rb
@@ -16,10 +16,6 @@ def presigned_image_upload_url(image_type:, transaction_id:)
     end
   end
 
-  def bucket_url
-    s3_resource&.bucket(bucket(prefix: bucket_prefix))&.url
-  end
-
   def bucket_prefix
     'login-gov-idp-doc-capture'.freeze
   end
diff --git a/app/views/idv/shared/_document_capture.html.erb b/app/views/idv/shared/_document_capture.html.erb
index 4a2c1a14865..d8ad0e1886e 100644
--- a/app/views/idv/shared/_document_capture.html.erb
+++ b/app/views/idv/shared/_document_capture.html.erb
@@ -3,6 +3,10 @@
   <%= tag :meta, name: 'acuant-sdk-initialization-endpoint', content: AppConfig.env.acuant_sdk_initialization_endpoint %>
   <%= tag :meta, name: 'acuant-sdk-initialization-creds', content: AppConfig.env.acuant_sdk_initialization_creds %>
 <% end %>
+<% SecureHeaders.append_content_security_policy_directives(
+  request,
+  connect_src: [front_image_upload_url, back_image_upload_url, selfie_image_upload_url].compact
+) %>
 <%= tag.div id: 'document-capture-form', data: {
   liveness_required: liveness_checking_enabled?.presence,
   mock_client: (DocAuthRouter.doc_auth_vendor == 'mock').presence,
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 7d7a5e3985a..c50bbcf2b7e 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -9,10 +9,6 @@
   connect_src = ["'self'", '*.newrelic.com', '*.nr-data.net', '*.google-analytics.com',
                  'services.assureid.net']
   connect_src << %w[ws://localhost:3035 http://localhost:3035] if Rails.env.development?
-  if AppConfig.env.doc_auth_enable_presigned_s3_urls == 'true'
-    image_upload_bucket_url = ImageUploadPresignedUrlGenerator.new.bucket_url
-    connect_src << "#{image_upload_bucket_url.chomp('/')}/*" if image_upload_bucket_url
-  end
   default_csp_config = {
     default_src: ["'self'"],
     child_src: ["'self'", 'www.google.com'], # CSP 2.0 only; replaces frame_src
diff --git a/spec/services/image_upload_presigned_url_generator_spec.rb b/spec/services/image_upload_presigned_url_generator_spec.rb
index 491418a1d8a..4595890b2d8 100644
--- a/spec/services/image_upload_presigned_url_generator_spec.rb
+++ b/spec/services/image_upload_presigned_url_generator_spec.rb
@@ -58,40 +58,4 @@
       end
     end
   end
-
-  describe '#bucket_url' do
-    before do
-    end
-
-    context 'AWS credentials are not set' do
-      before do
-        allow(LoginGov::Hostdata::EC2).to receive(:load).
-          and_raise(Net::OpenTimeout)
-        allow(Aws::S3::Resource).to receive(:new).
-          and_raise(Aws::Sigv4::Errors::MissingCredentialsError, 'Credentials not set')
-      end
-
-      it 'returns nil' do
-        expect(generator.bucket_url).to be_nil
-      end
-    end
-
-    context 'AWS credentials are set' do
-      before do
-        allow(LoginGov::Hostdata).to receive(:env).and_return('test')
-        allow(LoginGov::Hostdata::EC2).to receive(:load).and_return(
-          OpenStruct.new(account_id: '123456789', region: 'us-west-2'),
-        )
-        client_stub = Aws::S3::Client.new(region: 'us-west-2', stub_responses: true)
-        resource_stub = Aws::S3::Resource.new(client: client_stub)
-        allow(generator).to receive(:s3_resource).and_return(resource_stub)
-      end
-
-      it 'returns S3 bucket url' do
-        expect(generator.bucket_url).to eq(
-          'https://s3.us-west-2.amazonaws.com/login-gov-idp-doc-capture-test.123456789-us-west-2',
-        )
-      end
-    end
-  end
 end