diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000000..bac6c0a0bc
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,6 @@
+# https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax
+
+
+##### Security #####
+# require review from security team for content security policy
+/vercel.json @getsentry/security
\ No newline at end of file
diff --git a/vercel.json b/vercel.json
index 3924b7903e..da500bc85a 100644
--- a/vercel.json
+++ b/vercel.json
@@ -16,8 +16,8 @@
           "value": "1; mode=block"
         },
         {
-          "key": "Content-Security-Policy-Report-Only",
-          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com; connect-src 'self' sentry.io o1.ingest.sentry.io *.algolia.net *.algolianet.com *.algolia.io *.google-analytics.com stats.g.doubleclick.net; img-src * 'self' data: img.shields.io mermaid.ink user-images.githubusercontent.com www.google.com www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
+          "key": "Content-Security-Policy",
+          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' sentry.io o1.ingest.sentry.io *.algolia.net *.algolianet.com *.algolia.io; img-src * 'self' data: img.shields.io mermaid.ink user-images.githubusercontent.com; style-src 'self' 'unsafe-inline'; font-src 'self'; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
         },
         {
           "key": "Document-Policy",