diff --git a/variants/backend-base/config/initializers/content_security_policy.rb b/variants/backend-base/config/initializers/content_security_policy.rb
index 9f125d6f..4b54b448 100644
--- a/variants/backend-base/config/initializers/content_security_policy.rb
+++ b/variants/backend-base/config/initializers/content_security_policy.rb
@@ -11,9 +11,13 @@
   #
   policy.default_src :self
   policy.font_src    :self
-  policy.img_src     :self
+  policy.img_src     :self, *[
+    ("*.googletagmanager.com" if Rails.application.config.google_analytics_id)
+  ].compact
   policy.object_src  :none
-  policy.script_src  :self
+  policy.script_src  :self, *[
+    ("*.googletagmanager.com" if Rails.application.config.google_analytics_id)
+  ].compact
   policy.style_src   :self
 
   # Allow inline-styles
@@ -90,8 +94,11 @@
   # * We want to minimize differences in the CSP header between environments so
   #   that we can find and fix CSP issues in development but enabling the
   #   webpack-dev-server to communicate over websockets is an exception.
-  #
-  policy.connect_src :self, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+  policy.connect_src :self, *[
+    ("*.googletagmanager.com" if Rails.application.config.google_analytics_id),
+    ("http://localhost:3035" if Rails.env.development?),
+    ("ws://localhost:3035" if Rails.env.development?)
+  ].compact
 
   # Enable CSP reporting
   # ####################