diff --git a/website/docs/security/security-hardening.md b/website/docs/security/security-hardening.md
index a705e4ca2d..6279c4f563 100644
--- a/website/docs/security/security-hardening.md
+++ b/website/docs/security/security-hardening.md
@@ -47,3 +47,32 @@ To prevent any user from creating/editing CAPTCHA stages block API requests to t
 -   `/api/v3/managed/blueprints*`
 
 With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file).
+
+### Content Security Policy (CSP)
+
+:::caution
+Setting up CSP incorrectly might result in the client not loading necessary third-party code.
+:::
+
+:::caution
+In some cases, a CSP header will already be set by authentik (for example, in [user uploaded content](https://github.com/goauthentik/authentik/pull/12092/)). Do not overwrite an already existing header as doing so might result in vulnerabilities. Instead, add a new CSP header.
+:::
+
+Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header.
+
+authentik requires at least the following allowed locations:
+
+```
+default-src 'self';
+img-src 'https:' 'http:' 'data:';
+object-src 'none';
+style-src 'self' 'unsafe-inline';    # Required due to Lit/ShadowDOM
+script-src 'self' 'unsafe-inline';   # Required for generated scripts
+```
+
+Your use case might require more allowed locations for various directives, e.g.
+
+-   when using a CAPTCHA service
+-   when using Sentry
+-   when using any custom JavaScript in a prompt stage
+-   when using Spotlight Sidecar for development