diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go
index c60af496fb455..d335e23f20488 100644
--- a/lib/httplib/httpheaders.go
+++ b/lib/httplib/httpheaders.go
@@ -99,6 +99,9 @@ func GetDefaultContentSecurityPolicy() string {
 		"frame-ancestors 'none'",
 		// additional default restrictions
 		"object-src 'none'",
+		// auto-pay plans in Cloud use stripe.com to manage billing information
+		"script-src 'self' https://js.stripe.com",
+		"frame-src https://js.stripe.com",
 	}, ";")
 }
 
diff --git a/lib/services/presets.go b/lib/services/presets.go
index 752eb090b4c19..b2c6217419ade 100644
--- a/lib/services/presets.go
+++ b/lib/services/presets.go
@@ -85,6 +85,7 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindOktaAssignment, RW()),
 					types.NewRule(types.KindPlugin, RW()),
 					types.NewRule(types.KindIntegration, append(RW(), types.VerbUse)),
+					types.NewRule(types.KindBilling, RW()),
 					// Please see defaultAllowRules when adding a new rule.
 				},
 			},
@@ -205,6 +206,7 @@ func defaultAllowRules() map[string][]types.Rule {
 			types.NewRule(types.KindOktaAssignment, RW()),
 			types.NewRule(types.KindPlugin, RW()),
 			types.NewRule(types.KindIntegration, append(RW(), types.VerbUse)),
+			types.NewRule(types.KindBilling, RW()),
 		},
 	}
 }