diff --git a/docker/nginx.conf b/docker/nginx.conf
index 7f7313e00b..dbc08b8b75 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -30,6 +30,10 @@ server {
         add_header X-XSS-Protection "1; mode=block;";
         # disable content-type sniffing on some browsers.
         add_header X-Content-Type-Options nosniff;
+        # enable HSTS
+        add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
+        # enable CSP
+        add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self' https://js.stripe.com/v3; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' https://growth.appwrite.io https://*.sentry.io https://plausible.io; font-src 'self' https://fonts.appwrite.io; frame-src 'self' https://js.stripe.com; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self' blob:;";
     }
 
     location / {
diff --git a/src/app.html b/src/app.html
index 206daa685f..4392a6fa9a 100644
--- a/src/app.html
+++ b/src/app.html
@@ -5,7 +5,9 @@
         <meta
             name="description"
             content="Appwrite is an open-source platform for building applications at any scale, using your preferred programming languages and tools." />
-
+        <meta
+            http-equiv="Content-Security-Policy"
+            content="default-src 'self'; img-src https://*; child-src 'none'; " />
         <link rel="icon" type="image/svg+xml" href="/console/logos/appwrite-icon.svg" />
         <link rel="mask-icon" type="image/png" href="/console/logos/appwrite-icon.png" />