diff --git a/packages/backend/src/server/web/index.ts b/packages/backend/src/server/web/index.ts
index bbd5ed4632..aa1c76de7b 100644
--- a/packages/backend/src/server/web/index.ts
+++ b/packages/backend/src/server/web/index.ts
@@ -47,6 +47,16 @@ app.use(async (ctx, next) => {
 	// %71ueueとかでリクエストされたら困るため
 	const url = decodeURI(ctx.path);
 	if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
+		ctx.set('Content-Security-Policy',
+			`base-uri 'self'; `
+			+ `default-src 'none'; `
+			+ `script-src 'self'; `
+			+ `img-src 'self' https: data: blob:; `
+			+ `style-src 'self' 'unsafe-inline' https:; `
+			+ `font-src 'self' https:; `
+			+ `connect-src 'self' data: blob:; `
+			+ `frame-ancestors 'none'`);
+
 		if (!url.startsWith(bullBoardPath + '/static/')) {
 			ctx.set('Cache-Control', 'private, max-age=0, must-revalidate');
 		}