diff --git a/.env.example b/.env.example
index 5aa6abd..0d75c95 100644
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,9 @@
-# This file contains Content Security Policy (CSP) directives.
+# This file contains Content Security Policy (CSP) directives to test Wagtail's compatibility with CSP.
 # If the variables defined here are loaded into the environment, CSP will be enabled.
 
+# These values are commented out by default because Wagtail is not (yet) compatible with
+# the strict policy defined below.
+
 # Careful about the quoting of directives! It is easy to break.
 # CSP_DEFAULT_SRC="'self'"
 
diff --git a/readme.md b/readme.md
index e3f975d..47ce63b 100644
--- a/readme.md
+++ b/readme.md
@@ -155,7 +155,7 @@ Next, we'll set up our local environment variables. We use [django-dotenv](https
 to help with this. It reads environment variables located in a file name `.env` in the top level directory of the project. The only variable we need to start is `DJANGO_SETTINGS_MODULE`:
 
     cp bakerydemo/settings/local.py.example bakerydemo/settings/local.py
-    touch .env
+    cp .env.example .env
 
 To set up your database and load initial data, run the following commands:
 
@@ -208,6 +208,13 @@ In production on your own site, you'll need to change this to:
 
 and configure [SMTP settings](https://docs.djangoproject.com/en/3.2/topics/email/#smtp-backend) appropriate for your email provider.
 
+## Testing Content-Security-Policy compliance in Wagtail
+
+Bakerydemo is set up in such a way that it can be used to test [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) compatibility in Wagtail. It uses [django-csp](https://django-csp.readthedocs.io/en/latest/index.html) to generate the appropriate [CSP HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+
+By default, `django-csp` is not enabled since Wagtail isn't fully compatible yet. Set the `CSP_DEFAULT_SRC` environment variable in your `.env` file to set the default policy. An example can be found in `.env.example`.
+
+
 ### Ownership of demo content
 
 All content in the demo is public domain. Textual content in this project is either sourced from Wikimedia (Wikipedia for blog posts, [Wikibooks for recipes](https://en.wikibooks.org/wiki/Cookbook:Table_of_Contents)) or is lorem ipsum. All images are from either Wikimedia Commons or other copyright-free sources.