diff --git a/cmd/flipt/main.go b/cmd/flipt/main.go
index 74fbe94956..cc83612eaf 100644
--- a/cmd/flipt/main.go
+++ b/cmd/flipt/main.go
@@ -33,15 +33,13 @@ import (
 	_ "github.com/golang-migrate/migrate/v4/source/file"
 )
 
-const devVersion = "dev"
-
 var (
 	cfg         *config.Config
 	cfgWarnings []string
 
 	cfgPath      string
 	forceMigrate bool
-	version      = devVersion
+	version      = "dev"
 	commit       string
 	date         string
 	goVersion    = runtime.Version()
diff --git a/internal/cmd/http.go b/internal/cmd/http.go
index 091f124126..0bf88980ab 100644
--- a/internal/cmd/http.go
+++ b/internal/cmd/http.go
@@ -81,8 +81,11 @@ func NewHTTPServer(
 		logger.Info("CORS enabled", zap.Strings("allowed_origins", cfg.Cors.AllowedOrigins))
 	}
 
-	r.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))
-	r.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; img-src * data:;"))
+	// TODO: replace with more robust 'mode' detection
+	if !info.IsDevelopment() {
+		r.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))
+		r.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; img-src * data:;"))
+	}
 
 	r.Use(middleware.RequestID)
 	r.Use(middleware.RealIP)
diff --git a/internal/info/flipt.go b/internal/info/flipt.go
index bee3beef0a..1fa70a9435 100644
--- a/internal/info/flipt.go
+++ b/internal/info/flipt.go
@@ -15,6 +15,10 @@ type Flipt struct {
 	IsRelease       bool   `json:"isRelease"`
 }
 
+func (f Flipt) IsDevelopment() bool {
+	return f.Version == "dev" && !f.IsRelease
+}
+
 func (f Flipt) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var (
 		out []byte