diff --git a/README.md b/README.md
index 7195c1749103b3a12166bdeb3fd1e2c082602fe3..3874c88db54649ff90e23353f147a3b6b29f94c3 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,7 @@ Role Variables
 | `funkwhale_api_ip`                      | `127.0.0.1`                   | IP address with which to bind the Funkwhale server |
 | `funkwhale_api_port`                    | `5000`                        | Port with which to bind the Funkwhale server |
 | `funkwhale_config_path`                 | `/srv/funkwhale/config`       | Path to Funkwhale's configuration directory |
+| `funkwhale_nginx_csp_policy`            | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"`       | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. |
 | `funkwhale_database_managed`            | `true`                        | If `true`, the role will manage the database server and Funkwhale's database  |
 | `funkwhale_database_name`               | `funkwhale`                   | Name of the Funkwhale database to use |
 | `funkwhale_database_user`               | `funkwhale`                   | Postgresql username to login as |
diff --git a/defaults/main.yml b/defaults/main.yml
index 90f6639fa260e5bfc2d423595d11dd69a69fcdb7..74ea9c7dd29b067740a92d522f58dee2639f55b9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags:
 funkwhale_letsencrypt_enabled: true
 funkwhale_letsencrypt_skip_cert: false
 
+funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
 funkwhale_redis_managed: true
 funkwhale_api_ip: 127.0.0.1
 funkwhale_api_port: 5000
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index 087aede08cb79ac7cdeb407404b1b02344aa8aa0..d7ff7462d9cbd4ccb80f5b0b061d83be79c450d3 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -30,7 +30,12 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
     add_header Strict-Transport-Security "max-age=63072000; preload";
-    {% endif %}
+    {% endif -%}
+
+    {% if funkwhale_nginx_csp_policy -%}
+    # Security-related headers
+    add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
+    {% endif -%}
 
     root {{ funkwhale_frontend_path }};