diff --git a/docker-compose.yml b/docker-compose.yml
index da647c9..1fd0061 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,6 +32,7 @@ services:
             - COLIBRI_WEBSOCKET_REGEX
             - CONFCODE_URL
             - CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
+            - CSP_HEADER
             - DEFAULT_LANGUAGE
             - DEPLOYMENTINFO_ENVIRONMENT
             - DEPLOYMENTINFO_ENVIRONMENT_TYPE
diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf
index a0cd384..e0400a1 100644
--- a/web/rootfs/defaults/meet.conf
+++ b/web/rootfs/defaults/meet.conf
@@ -28,6 +28,9 @@ error_page 404 /static/404.html;
 # Security headers
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
+{{ if .Env.CSP_HEADER }}
+add_header Content-Security-Policy "{{ .Env.CSP_HEADER }}" always;
+{{ end }}
 
 set $prefix "";