diff --git a/src/app.ts b/src/app.ts
index 60a0b08..4530fa2 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -25,6 +25,7 @@ import {endpoint as getSkipSegments} from './routes/getSkipSegments';
 import {userCounter} from './middleware/userCounter';
 import {loggerMiddleware} from './middleware/logger';
 import {corsMiddleware} from './middleware/cors';
+import {apiCspMiddleware} from './middleware/apiCsp';
 import {rateLimitMiddleware} from './middleware/requestRateLimit';
 import dumpDatabase, {redirectLink} from './routes/dumpDatabase';
 
@@ -36,6 +37,7 @@ export function createServer(callback: () => void) {
     //setup CORS correctly
     app.use(corsMiddleware);
     app.use(loggerMiddleware);
+    app.use("/api/", apiCspMiddleware);
     app.use(express.json());
 
     if (config.userCounterURL) app.use(userCounter);
diff --git a/src/middleware/apiCsp.ts b/src/middleware/apiCsp.ts
new file mode 100644
index 0000000..deeb791
--- /dev/null
+++ b/src/middleware/apiCsp.ts
@@ -0,0 +1,6 @@
+import {NextFunction, Request, Response} from 'express';
+
+export function apiCspMiddleware(req: Request, res: Response, next: NextFunction) {
+    res.header("Content-Security-Policy", "script-src 'none'");
+    next();
+}
\ No newline at end of file