diff --git a/data/deployments/admin/common.yaml b/data/deployments/admin/common.yaml
--- a/data/deployments/admin/common.yaml
+++ b/data/deployments/admin/common.yaml
@@ -7,6 +7,7 @@
 
 swh::deploy::hedgedoc::reverse_proxy::backend_http_host: bardo.internal.admin.swh.network
 swh::deploy::hedgedoc::reverse_proxy::backend_http_port: "3000"
+swh::deploy::hedgedoc::reverse_proxy::websocket_support: true
 
 swh::deploy::hedgedoc::base_url: hedgedoc.softwareheritage.org
 swh::deploy::hedgedoc::vhost::letsencrypt_cert: hedgedoc
diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
--- a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
+++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
@@ -12,6 +12,10 @@
     $cert_name = lookup("swh::deploy::${service_name}::vhost::letsencrypt_cert")
     $backend_http_host = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_host")
     $backend_http_port = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_port")
+    $websocket_support = lookup({
+      "name"          => "swh::deploy::${service_name}::reverse_proxy::websocket_support",
+      "default_value" => false,
+    })
 
     # Retrieve the list of vhosts
     $vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains']
@@ -30,6 +34,7 @@
       backend_http_host => $backend_http_host,
       backend_http_port => $backend_http_port,
       hsts_max_age      => lookup('strict_transport_security::max_age'),
+      websocket_support => $websocket_support,
     }
 
     $icinga_checks_file = lookup('icinga2::exported_checks::filename')
diff --git a/site-modules/profile/manifests/varnish/vhost.pp b/site-modules/profile/manifests/varnish/vhost.pp
--- a/site-modules/profile/manifests/varnish/vhost.pp
+++ b/site-modules/profile/manifests/varnish/vhost.pp
@@ -7,6 +7,7 @@
   String $backend_name,
   String $backend_http_host,
   String $backend_http_port,
+  Boolean $websocket_support = false,
   Optional[String] $vcl_recv_extra = undef,
   Optional[String] $vcl_deliver_extra = undef,
   Variant[Undef, String, Integer[1]] $hsts_max_age = undef,
diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb
--- a/site-modules/profile/templates/hedgedoc/config.json.erb
+++ b/site-modules/profile/templates/hedgedoc/config.json.erb
@@ -18,8 +18,6 @@
         },
         "csp": {
             "enable": true,
-            "directives": {
-            },
             "upgradeInsecureRequests": "auto",
             "addDefaults": true,
             "addDisqus": true,
diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb
--- a/site-modules/profile/templates/varnish/vhost.vcl.erb
+++ b/site-modules/profile/templates/varnish/vhost.vcl.erb
@@ -15,7 +15,12 @@
             set req.http.x-redir = "https://" + req.http.host + req.url;
             return(synth(850, "Moved permanently"));
         } else {
-            set req.http.X_FORWARDED_PROTO = "https";
+<% if @websocket_support -%>
+            if (req.http.upgrade ~ "(?i)websocket") {
+                return (pipe);
+            }
+<% end -%>
+            set req.http.X-Forwarded-Proto = "https";
             set req.backend_hint = <%= @backend_name %>;
         }
 <% if @vcl_recv_extra -%>
@@ -24,6 +29,15 @@
     }
 }
 
+<% if @websocket_support -%>
+sub vcl_pipe {
+    if (req.http.upgrade) {
+        set bereq.http.upgrade = req.http.upgrade;
+        set bereq.http.connection = req.http.connection;
+    }
+}
+
+<% end -%>
 <% if @hsts_max_age or @vcl_deliver_extra -%>
 sub vcl_deliver {
     if (