diff --git a/src/main/java/com/erudika/scoold/controllers/PeopleController.java b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
index 140e3036..d46a0600 100755
--- a/src/main/java/com/erudika/scoold/controllers/PeopleController.java
+++ b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
@@ -151,6 +151,9 @@ public String bulkEdit(@RequestParam(required = false) String[] selectedUsers,
 	@GetMapping("/avatar")
 	public void avatar(@RequestParam(required = false) String url,
 			HttpServletRequest req, HttpServletResponse res, Model model) {
+		// prevents reflected XSS. see https://brutelogic.com.br/poc.svg
+		// for some reason the CSP header is not sent on these responses by the ScooldInterceptor
+		utils.setSecurityHeaders(utils.getCSPNonce(), req, res);
 		HttpUtils.getAvatar(url, req, res);
 	}
 }