diff --git a/controllers/middlewares/middlewares.go b/controllers/middlewares/middlewares.go
index 600eeef8..a5177e26 100644
--- a/controllers/middlewares/middlewares.go
+++ b/controllers/middlewares/middlewares.go
@@ -60,3 +60,11 @@ func ScopesRequired(scopes ...string) gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// CSP set Content Security Policy http header
+func CSP() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; script-src 'self'")
+		c.Next()
+	}
+}
diff --git a/controllers/middlewares/router.go b/controllers/middlewares/router.go
index 43e95407..84fed7ba 100644
--- a/controllers/middlewares/router.go
+++ b/controllers/middlewares/router.go
@@ -3,5 +3,5 @@ package middlewares
 import "github.com/NyaaPantsu/nyaa/controllers/router"
 
 func init() {
-	router.Get().Use(ErrorMiddleware())
+	router.Get().Use(CSP(), ErrorMiddleware())
 }