diff --git a/changes/changelog.d/880.enhancement b/changes/changelog.d/880.enhancement
new file mode 100644
index 0000000000000000000000000000000000000000..58d308afab5727d185f533fc65fffa8bfdf77d80
--- /dev/null
+++ b/changes/changelog.d/880.enhancement
@@ -0,0 +1 @@
+Hardened security thanks to CSP and additional HTTP headers (#880)
diff --git a/changes/notes.rst b/changes/notes.rst
index b52fb789777f3a0b722a8977c28be60d3ec3ad1f..40a1d7bbb517186209f1d8a0a72fa1e3b025eb60 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -43,3 +43,18 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
 ``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}``
 
 Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
+
+
+Content-Security-Policy [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
+you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
+for both Docker and non-Docker deployments)::
+
+    server {
+        # Security related headers
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    }
+
+Then reload nginx with ``systemctl reload nginx``.
diff --git a/deploy/docker.proxy.template b/deploy/docker.proxy.template
index 0fbed2f73d6015a817b878673cbdd15de0718154..6b0a0405abfc2ca6cd299705801ca16848a1ac85 100644
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -29,6 +29,9 @@ server {
     # HSTS
     add_header Strict-Transport-Security "max-age=31536000";
 
+    # Security related headers
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
     # compression settings
     gzip on;
     gzip_comp_level    5;
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 78b8ff3d6cf99e1b732e726ef448de9b65f9d517..b38a7e67dc1a0fa2adc0f4ecf45c7563e14e4e14 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -41,6 +41,9 @@ server {
     # HSTS
     add_header Strict-Transport-Security "max-age=31536000";
 
+    # Security related headers
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
     root ${FUNKWHALE_FRONTEND_PATH};
 
     # compression settings
@@ -111,7 +114,7 @@ server {
         internal;
         alias   ${MEDIA_ROOT};
     }
-    
+
     # Comment the previous location and uncomment this one if you're storing
     # media files in a S3 bucket
     # location ~ /_protected/media/(.+) {
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 0ab9ec160dd6aeadcbf449ef83e36c9a6cc6356b..8b35430a2bbc7ab43d0c116025ad6103f0a1b821 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -69,6 +69,8 @@ http {
             text/x-component
             text/x-cross-domain-policy;
 
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
         location /front/ {
             # uncomment the following line and comment the proxy-pass one
             # to use the frontend build with "yarn build"