diff --git a/config/apache-davical.conf b/config/apache-davical.conf
index d16a78ee..0661825d 100644
--- a/config/apache-davical.conf
+++ b/config/apache-davical.conf
@@ -21,6 +21,11 @@ Alias /davical /usr/share/davical/htdocs
 
   # Some people want this. YMMV.
   #php_admin_value open_basedir /usr/share/awl/inc/:/usr/share/davical/:/etc/davical/
+
+  # All content for our UI should be served locally.
+  <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
+    Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
+  </FilesMatch>
 </Directory>
 
 <IfModule mod_rewrite.c>
@@ -49,8 +54,3 @@ Alias /davical /usr/share/davical/htdocs
   # Everything else gets rewritten to /caldav.php/...
   #RewriteRule ^(.*)$ /davical/caldav.php$1  [NC,L]
 </IfModule>
-
-# All content for our UI should be served locally.
-<FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
-  Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
-</FilesMatch>
diff --git a/debian/changelog b/debian/changelog
index 7abf8f0b..a5eaf7c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+davical (1.1.13-1) UNRELEASED; urgency=medium
+
+  * New upstream release (Closes: #1040996)
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 23 Oct 2023 17:57:01 +1300
+
 davical (1.1.12-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/testing/apache-site.conf.example b/testing/apache-site.conf.example
index d978b1e4..cbacae2c 100644
--- a/testing/apache-site.conf.example
+++ b/testing/apache-site.conf.example
@@ -11,6 +11,11 @@ Listen 127.0.1.1:80
     Require all granted
     DirectoryIndex index.php index.html
     php_value include_path /path/to/awl/inc:/path/to/davical/testing
+
+    # All content for our UI should be served locally.
+    <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
+      Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
+    </FilesMatch>
   </Directory>
 
   RewriteEngine On
@@ -25,9 +30,4 @@ Listen 127.0.1.1:80
   RewriteCond %{REQUEST_URI} !^/$
   RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg|ico)
   RewriteRule ^(.*)$ /caldav.php$1  [NC,L]
-
-  # All content for our UI should be served locally.
-  <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
-    Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
-  </FilesMatch>
 </VirtualHost>