diff --git a/api/src/app.ts b/api/src/app.ts
index c584614..4f11bdd 100644
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -35,6 +35,8 @@ if (process.env.NODE_ENV !== 'test') {
   const cspDirectives = { ...defaultNonceCSPDirectives }
   // necessary to use vjsf without pre-compilation
   cspDirectives['script-src'] = "'unsafe-eval' " + defaultNonceCSPDirectives['script-src']
+  // necessary for vjsf to fetch remote services
+  cspDirectives['connect-src'] = "'self' https:"
   app.use(await createSpaMiddleware(resolve(import.meta.dirname, '../../ui/dist'), uiConfig, {
     csp: {
       nonce: true,