diff --git a/common/nginx.nix b/common/nginx.nix
index 4bd8816..2ea3d20 100644
--- a/common/nginx.nix
+++ b/common/nginx.nix
@@ -9,7 +9,7 @@
 
     appendHttpConfig = ''
       add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
-      add_header Content-Security-Policy "default-src https: data: blob: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'none';" always;
+      add_header Content-Security-Policy "default-src https: data: blob: ws: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'self';" always;
       add_header Referrer-Policy strict-origin-when-cross-origin;
       add_header X-Frame-Options SAMEORIGIN;
       add_header X-Content-Type-Options nosniff;
diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix
index 80cc659..a9c34da 100644
--- a/services/audiobookshelf.nix
+++ b/services/audiobookshelf.nix
@@ -19,7 +19,14 @@ in
         ${cfg.domain} = {
           forceSSL = true;
           enableACME = true;
-          locations."/".proxyPass = "http://127.0.0.1:8234/";
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8234/";
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
+          };
         };
       };
     };