diff --git a/.htaccess b/.htaccess
index 806280f76841..2608897a04c5 100644
--- a/.htaccess
+++ b/.htaccess
@@ -25,8 +25,6 @@ Redirect permanent /datafusion-python https://datafusion.apache.org/python
 # redirect all ballista URLs to new website
 Redirect permanent /ballista https://datafusion.apache.org/ballista
 
-# enable kapa.ai bot (GH-45665)
-# See https://docs.kapa.ai/integrations/understanding-csp-cors and https://issues.apache.org/jira/browse/INFRA-26638
-<IfModule mod_headers.c>
-    Header set Content-Security-Policy "default-src 'self' data: blob: 'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://analytics.apache.org/ https://widget.kapa.ai/; style-src 'self' 'unsafe-inline' https://*.kapa.ai/ data:; frame-ancestors 'self'; frame-src 'self' data: blob: https://www.google.com/ https://www.recaptcha.net/; connect-src 'self' https://analytics.apache.org proxy.kapa.ai kapa-widget-proxy-la7.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai www.google.com recaptcha.net; img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.google.com https://*.gstatic.com/; worker-src 'self' data: blob:;"
-</IfModule>
+# Content-Security-Policy exceptions (see https://infra.apache.org/tools/csp.html)
+# kapa.ai domains approved in https://issues.apache.org/jira/browse/INFRA-26638
+SetEnv CSP_PROJECT_DOMAINS "https://*.kapa.ai/ https://widget.kapa.ai/ https://proxy.kapa.ai/ https://kapa-widget-proxy-la7.kapa.ai/ https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app/ https://metrics.kapa.ai/ https://www.gstatic.com/ https://www.google.com/ https://www.recaptcha.net/ https://recaptcha.net/ https://www.apachecon.com/ https://www.communityovercode.org/"