Hassio behind reverse proxy always fails after first connection

Hey all,

I’m having a strange issue, and i’m not really sure what i’m missing here.
So i have setup a reverse proxy (with modsec) for my home assistant, and it seems to be working fine except for the fact that it will always error the first time, browser console returns:

Refused to connect to 'wss://myurl.com/api/websocket' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

after pressing Retry on the page or simply F5’ing again, home assistant is reachable and working as it should.
has anyone ever encountered this issue? Here is my nginx config:

map $http_upgrade $connection_upgrade {
    default Upgrade;
    ''      close;
}

server {
    listen      80;
    listen      [::]:80;
    server_name myurl.com;

    location / {
        return 301 https://myurl.com$request_uri;
    }
}

server {
    #listen       80;
    #listen       [::]80;
    server_name  myurl.com;

    access_log /var/log/nginx/myurl.com.log;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
    # Things for better security
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

    # include letsencrypt endpoints to bypass proxy and be able to autoupdate:
    include snippets/letsencrypt.conf;
    # add some CSRF headers:
#    include snippets/policy_headers.conf;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect http:// https://;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-XSS-Protection "1; mode=block";
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_set_header X-Robots-Tag none;
       # add_header Content-Security-Policy "default-src 'self';";
        proxy_pass http://10.10.40.37:8123/;
    }

    location /api/websocket {
        proxy_pass http://10.10.40.37:8123/api/websocket;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

Thanks in advance!

I changed my config to have

add_header Content-Security-Policy "default-src https: data: wss: 'unsafe-eval' 'unsafe-inline'; object-src 'none'";

this is not necessarily secure but an easy fix