diff --git a/handler/default.go b/handler/default.go
index b1dc2fc..fb2f75a 100644
--- a/handler/default.go
+++ b/handler/default.go
@@ -35,5 +35,5 @@ func GetHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler {
 
 	authHandler.handle(router)
 
-	return middleware.Logging(middleware.EnableCors(serverSettings, router))
+	return middleware.Logging(middleware.ContentSecurityPolicy(middleware.EnableCors(serverSettings, router)))
 }
diff --git a/middleware/content_security_policiy.go b/middleware/content_security_policiy.go
new file mode 100644
index 0000000..61670f4
--- /dev/null
+++ b/middleware/content_security_policiy.go
@@ -0,0 +1,11 @@
+package middleware
+
+import "net/http"
+
+func ContentSecurityPolicy(next http.Handler) http.Handler {
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Security-Policy", "default-src 'self'")
+		next.ServeHTTP(w, r)
+	})
+}