diff --git a/api/http/handler/file/handler.go b/api/http/handler/file/handler.go
index 5af91fb9f..ec4f66b70 100644
--- a/api/http/handler/file/handler.go
+++ b/api/http/handler/file/handler.go
@@ -4,6 +4,9 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/pkg/featureflags"
+
 	"github.com/gorilla/handlers"
 )
 
@@ -16,8 +19,10 @@ type Handler struct {
 // NewHandler creates a handler to serve static files.
 func NewHandler(assetPublicPath string, wasInstanceDisabled func() bool) *Handler {
 	h := &Handler{
-		Handler: handlers.CompressHandler(
-			http.FileServer(http.Dir(assetPublicPath)),
+		Handler: security.MWSecureHeaders(
+			handlers.CompressHandler(http.FileServer(http.Dir(assetPublicPath))),
+			featureflags.IsEnabled("hsts"),
+			featureflags.IsEnabled("csp"),
 		),
 		wasInstanceDisabled: wasInstanceDisabled,
 	}
@@ -53,7 +58,5 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	}
 
-	w.Header().Add("X-XSS-Protection", "1; mode=block")
-	w.Header().Add("X-Content-Type-Options", "nosniff")
 	handler.Handler.ServeHTTP(w, r)
 }
diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index 3d684a667..82df8fc5a 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -11,10 +11,11 @@ import (
 	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/dataservices"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/featureflags"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/rs/zerolog/log"
 
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )
 
 const apiKeyHeader = "X-API-KEY"
@@ -43,6 +44,8 @@ type (
 		jwtService    portainer.JWTService
 		apiKeyService apikey.APIKeyService
 		revokedJWT    sync.Map
+		hsts          bool
+		csp           bool
 	}
 
 	// RestrictedRequestContext is a data structure containing information
@@ -69,6 +72,8 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 		dataStore:     dataStore,
 		jwtService:    jwtService,
 		apiKeyService: apiKeyService,
+		hsts:          featureflags.IsEnabled("hsts"),
+		csp:           featureflags.IsEnabled("csp"),
 	}
 
 	go b.cleanUpExpiredJWT()
@@ -79,7 +84,7 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 // PublicAccess defines a security check for public API endpoints.
 // No authentication is required to access these endpoints.
 func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
-	return mwSecureHeaders(h)
+	return MWSecureHeaders(h, bouncer.hsts, bouncer.csp)
 }
 
 // AdminAccess defines a security check for API endpoints that require an authorization check.
@@ -208,7 +213,8 @@ func (bouncer *RequestBouncer) mwAuthenticatedUser(h http.Handler) http.Handler
 		bouncer.CookieAuthLookup,
 		bouncer.JWTAuthLookup,
 	}, h)
-	h = mwSecureHeaders(h)
+	h = MWSecureHeaders(h, bouncer.hsts, bouncer.csp)
+
 	return h
 }
 
@@ -506,10 +512,17 @@ func extractAPIKey(r *http.Request) (string, bool) {
 	return "", false
 }
 
-// mwSecureHeaders provides secure headers middleware for handlers.
-func mwSecureHeaders(next http.Handler) http.Handler {
+// MWSecureHeaders provides secure headers middleware for handlers.
+func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-XSS-Protection", "1; mode=block")
+		if hsts {
+			w.Header().Set("Strict-Transport-Security", "max-age=31536000") // 365 days
+		}
+
+		if csp {
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud")
+		}
+
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		next.ServeHTTP(w, r)
 	})
diff --git a/api/portainer.go b/api/portainer.go
index 5f361a459..0f7b0aa13 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1653,11 +1653,15 @@ const (
 
 // List of supported features
 const (
-	FeatureFdo = "fdo"
+	FeatureFdo  = "fdo"
+	FeatureHSTS = "hsts"
+	FeatureCSP  = "csp"
 )
 
 var SupportedFeatureFlags = []featureflags.Feature{
 	FeatureFdo,
+	FeatureHSTS,
+	FeatureCSP,
 }
 
 const (
diff --git a/app/index.html b/app/index.html
index 5a21bd71b..370070b48 100644
--- a/app/index.html
+++ b/app/index.html
@@ -10,19 +10,6 @@
     <meta http-equiv="pragma" content="no-cache" />
     <meta name="robots" content="noindex" />
     <base id="base" />
-    <script>
-      // http://localhost:49000 is a docker extension specific url (see /build/docker-extension/docker-compose.yml)
-      if (window.origin == 'http://localhost:49000') {
-        // we are loading the app from a local file as in docker extension
-        document.getElementById('base').href = 'http://localhost:49000/';
-
-        window.ddExtension = true;
-      } else {
-        var path = window.location.pathname.replace(/^\/+|\/+$/g, '');
-        var basePath = path ? '/' + path + '/' : '/';
-        document.getElementById('base').href = basePath;
-      }
-    </script>
 
     <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
     <!--[if lt IE 9]>
diff --git a/app/index.js b/app/index.js
index bbb18e5f1..a8b0a2128 100644
--- a/app/index.js
+++ b/app/index.js
@@ -21,6 +21,18 @@ import { onStartupAngular } from './app';
 import { configApp } from './config';
 import { constantsModule } from './ng-constants';
 
+// http://localhost:49000 is a docker extension specific url (see /build/docker-extension/docker-compose.yml)
+if (window.origin == 'http://localhost:49000') {
+  // we are loading the app from a local file as in docker extension
+  document.getElementById('base').href = 'http://localhost:49000/';
+
+  window.ddExtension = true;
+} else {
+  var path = window.location.pathname.replace(/^\/+|\/+$/g, '');
+  var basePath = path ? '/' + path + '/' : '/';
+  document.getElementById('base').href = basePath;
+}
+
 initFeatureService(Edition[process.env.PORTAINER_EDITION]);
 
 angular