diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e71a26081..629fa8180 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -10,6 +10,7 @@ Listen 1013
 	KeepAlive Off
 
 	Header always set X-Content-Type-Options nosniff
+	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c5d8ffba9..b5052dda4 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -21,6 +21,7 @@
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 5c7ddc719..b70994404 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -7,6 +7,7 @@
     RewriteRule .* - [F]
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI