diff --git a/.env.dev b/.env.dev
index 9824a8638..66638d77f 100644
--- a/.env.dev
+++ b/.env.dev
@@ -12,7 +12,6 @@ FORWARDED_PROTO=http
 LDAP_ENABLED=False
 FUNKWHALE_SPA_HTML_ROOT=http://nginx/front/
 PYTHONTRACEMALLOC=0
-STATIC_URL=http://localhost:8000/staticfiles/
 
 # Uncomment this if you're using traefik/https
 # FORCE_HTTPS_URLS=True
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index bad83dacb..0593c75ba 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -132,6 +132,11 @@ Create it like this::
 
     touch .env
 
+These two environment variables must be included for the images to load in front-end and django admin pages::
+
+    MEDIA_URL=http://localhost:8000/media/
+    STATIC_URL=http://localhost:8000/staticfiles/
+
 
 Create docker network
 ^^^^^^^^^^^^^^^^^^^^^
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 96d8be7e0..11c0b1307 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -69,7 +69,7 @@ http {
             text/x-component
             text/x-cross-domain-policy;
 
-        add_header Content-Security-Policy "default-src 'self' 'unsafe-eval'; connect-src 'self' 'unsafe-eval' *;  style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Content-Security-Policy "default-src 'self' 'unsafe-eval'; connect-src 'self' 'unsafe-eval';  style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header X-Frame-Options "SAMEORIGIN" always;