diff --git a/src/backend/partaj/middleware.py b/src/backend/partaj/middleware.py
new file mode 100644
index 0000000000..eb103790e1
--- /dev/null
+++ b/src/backend/partaj/middleware.py
@@ -0,0 +1,21 @@
+"""
+Partaj custom middlewares
+"""
+
+
+class HeadersMiddleware:
+    """
+    Middleware adding security headers to responses
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        response["X-Content-Type-Options"] = "nosniff"
+        response["X-XSS-Protection"] = 0
+        response["Content-Security-Policy"] = "upgrade-insecure-requests"
+
+        return response
diff --git a/src/backend/partaj/settings.py b/src/backend/partaj/settings.py
index 19c5b9c3aa..c685ed92b1 100644
--- a/src/backend/partaj/settings.py
+++ b/src/backend/partaj/settings.py
@@ -223,6 +223,7 @@ class Base(ElasticSearchMixin, SendinblueMixin, DRFMixin, Configuration):
         "impersonate.middleware.ImpersonateMiddleware",
         "django.middleware.clickjacking.XFrameOptionsMiddleware",
         "dockerflow.django.middleware.DockerflowMiddleware",
+        "partaj.middleware.HeadersMiddleware",
     ]
 
     ROOT_URLCONF = "partaj.urls"