diff --git a/History.md b/History.md
index 312f4b9695..b0685594a3 100644
--- a/History.md
+++ b/History.md
@@ -35,9 +35,10 @@ unreleased
     - deps: range-parser@~1.2.1
     - deps: statuses@~1.5.0
     - perf: remove redundant `path.normalize` call
-  * deps: serve-static@1.14.0
+  * deps: serve-static@1.14.1
+    - Set stricter CSP header in redirect response
     - deps: parseurl@~1.3.3
-    - deps: send@0.17.0
+    - deps: send@0.17.1
   * deps: setprototypeof@1.1.1
   * deps: statuses@~1.5.0
     - Add `103 Early Hints`
diff --git a/package.json b/package.json
index 34904ac000..3a6a00d153 100644
--- a/package.json
+++ b/package.json
@@ -51,7 +51,7 @@
     "range-parser": "~1.2.0",
     "safe-buffer": "5.1.2",
     "send": "0.17.1",
-    "serve-static": "1.14.0",
+    "serve-static": "1.14.1",
     "setprototypeof": "1.1.1",
     "statuses": "~1.5.0",
     "type-is": "~1.6.18",
diff --git a/test/express.static.js b/test/express.static.js
index 7c9852243e..485ee4c0c1 100644
--- a/test/express.static.js
+++ b/test/express.static.js
@@ -513,7 +513,7 @@ describe('express.static()', function () {
     it('should respond with default Content-Security-Policy', function (done) {
       request(this.app)
         .get('/users')
-        .expect('Content-Security-Policy', "default-src 'self'")
+        .expect('Content-Security-Policy', "default-src 'none'")
         .expect(301, done)
     })