diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 4d7e3b588..349ebefe4 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -432,6 +432,7 @@ void WebApplication::configure()
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
     header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
 
-    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
+    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
     if (m_isClickjackingProtectionEnabled) {
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");
     }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }
 
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index eabb08cd1..7713cd72b 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -146,4 +146,5 @@ private:
     // security related
     bool m_isClickjackingProtectionEnabled;
     bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };
diff --git a/src/webui/www/private/preferences_content.html b/src/webui/www/private/preferences_content.html
index 7cf03a480..29a3e2ef9 100644
--- a/src/webui/www/private/preferences_content.html
+++ b/src/webui/www/private/preferences_content.html
@@ -733,9 +733,9 @@
 
     // Web UI tab
     updateHttpsSettings = function() {
-        var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked');
-        $('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled);
-        $('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled);
+        var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
+        $('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled);
+        $('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled);
     };
 
     updateBypasssAuthSettings = function() {