diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -2905,7 +2905,7 @@
 keycloak::version: 10.0.2
 
 keycloak::swh_theme::repo_url: https://forge.softwareheritage.org/source/swh-keycloak-theme.git
-keycloak::swh_theme::tag: v0.3.0
+keycloak::swh_theme::tag: v0.3.1
 
 keycloak::vhost::name: auth.softwareheritage.org
 keycloak::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}"
@@ -2937,6 +2937,7 @@
   smtp_server_host: localhost
   smtp_server_from: noreply@softwareheritage.org
   smtp_server_from_display_name: Software Heritage Authentication Service
+  brute_force_protected: true
 
 keycloak::resources::clients::common_settings:
   public_client: true
@@ -2984,6 +2985,7 @@
       registration_allowed: true
       reset_password_allowed: true
       verify_email: true
+      content_security_policy: frame-src 'self'; frame-ancestors 'self' *.softwareheritage.org; object-src 'none';
     flows:
       - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}"
     clients:
@@ -3006,6 +3008,7 @@
       registration_allowed: true
       reset_password_allowed: true
       verify_email: true
+      content_security_policy: frame-src 'self'; frame-ancestors 'self' *.staging.swh.network; object-src 'none';
     flows:
       - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}"
     clients: