These settings worked for me:
module.exports = ({ env }) => [
"strapi::errors",
{
name: "strapi::security",
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"connect-src": ["'self'", "https:"],
"img-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://s3.${env("AWS_REGION")}.amazonaws.com/${env(
"MEDIA_BUCKET"
)}/`,
],
"media-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://s3.${env("AWS_REGION")}.amazonaws.com/${env(
"MEDIA_BUCKET"
)}/`,
],
upgradeInsecureRequests: null,
},
},
},
},
"strapi::cors",
"strapi::poweredBy",
"strapi::logger",
"strapi::query",
"strapi::body",
"strapi::session",
"strapi::favicon",
"strapi::public",
];