diff --git a/Changelog.md b/Changelog.md
index 9fdcb15da..df6b1c90d 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -3,6 +3,7 @@
 ## Refactor
 * Add bootstrapping for using ECMAScript 6 with automatic transpiling for compatibility [#7581](https://github.com/diaspora/diaspora/pull/7581)
 * Remove backporting of mention syntax [#7788](https://github.com/diaspora/diaspora/pull/7788)
+* Enable Content-Security-Policy header by default [#7781](https://github.com/diaspora/diaspora/pull/7781)
 
 ## Bug fixes
 
diff --git a/config/defaults.yml b/config/defaults.yml
index 221448318..4844cc56e 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -150,7 +150,7 @@ defaults:
       title: 'diaspora* social network'
       description: 'diaspora* is the online social world where you are in control.'
     csp:
-      report_only: true
+      report_only: false
       report_uri:
   services:
     facebook:
diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
index d52378c29..b34845537 100644
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@@ -571,10 +571,10 @@ configuration: ## Section
     ## is blocked by CSP.
     csp:
 
-      ## Report-Only header (default=true)
-      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
-      ## this to false, the "Content-Security-Policy" header is added instead.
-      #report_only: false
+      ## Report-Only header (default=false)
+      ## By default diaspora* adds a "Content-Security-Policy" header. If you set
+      ## this to true, the "Content-Security-Policy-Report-Only" header is added instead.
+      #report_only: true
 
       ## CSP report URI (default=)
       ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.