diff --git a/l4d2web/app.py b/l4d2web/app.py
index 1e28f5b..c1215cc 100644
--- a/l4d2web/app.py
+++ b/l4d2web/app.py
@@ -90,12 +90,14 @@ def create_app(test_config: dict[str, object] | None = None) -> Flask:
         nonce = getattr(g, "csp_nonce", "")
         # script-src nonce blocks inline XSS; style 'unsafe-inline' kept for
         # htmx's auto-injected indicator styles. img/data: for SVG icons.
+        # *.steamstatic.com covers Steam avatar hosts (avatars.steamstatic.com
+        # plus the cloudflare/akamai/fastly mirrors they rotate through).
         response.headers.setdefault(
             "Content-Security-Policy",
             "default-src 'self'; "
             f"script-src 'self' 'nonce-{nonce}'; "
             "style-src 'self' 'unsafe-inline'; "
-            "img-src 'self' data:; "
+            "img-src 'self' data: https://*.steamstatic.com; "
             "connect-src 'self'; "
             "frame-ancestors 'none'; "
             "base-uri 'self'; "
diff --git a/l4d2web/tests/test_security.py b/l4d2web/tests/test_security.py
index 7e1cdc4..b3db104 100644
--- a/l4d2web/tests/test_security.py
+++ b/l4d2web/tests/test_security.py
@@ -79,6 +79,10 @@ def test_security_headers_present(client) -> None:
     assert "default-src 'self'" in csp
     assert "frame-ancestors 'none'" in csp
     assert "form-action 'self'" in csp
+    # Steam avatar CDN must be explicitly allowed; otherwise the browser
+    # silently blocks the avatar <img> loads and the live-state grid shows
+    # placeholder circles with names but no faces.
+    assert "img-src 'self' data: https://*.steamstatic.com" in csp
 
 
 def test_csp_nonce_matches_inline_script(client) -> None: