diff --git a/next.config.mjs b/next.config.mjs
index 6847a0d..0d77d83 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -6,6 +6,13 @@ import {withSentryConfig} from '@sentry/nextjs'
 const apiUrl = process.env.NEXT_PUBLIC_DIRECTUS_API_URL ?? ''
 const wsUrl = process.env.NEXT_PUBLIC_DIRECTUS_API_WS_URL ?? ''
 
+// Le SDK Directus dérive l'URL WebSocket depuis apiUrl (https→wss, http→ws).
+// On l'inclut toujours dans connect-src pour garantir que CSP autorise la connexion,
+// même si NEXT_PUBLIC_DIRECTUS_API_WS_URL pointe vers un hôte différent.
+const derivedWsUrl = apiUrl
+  .replace(/^https:\/\//, 'wss://')
+  .replace(/^http:\/\//, 'ws://')
+
 // Tokens CSP — les guillemets simples font partie de la spec CSP, pas de JS
 const SELF = '\'self\''
 const NONE = '\'none\''
@@ -20,7 +27,7 @@ const cspDirectives = [
   `default-src ${SELF}`,
   `script-src ${SELF} ${UNSAFE_INLINE}`,
   `style-src ${SELF} ${UNSAFE_INLINE}`,
-  `connect-src ${SELF} ${apiUrl} ${wsUrl}`.trim(),
+  `connect-src ${SELF} ${apiUrl} ${wsUrl} ${derivedWsUrl}`.trim().replace(/ {2,}/g, ' '),
   `img-src ${SELF} data: blob:`,
   `font-src ${SELF}`,
   `object-src ${NONE}`,