diff --git a/docs/installation/nginx.md b/docs/installation/nginx.md
index 82a2e4cf..84305975 100644
--- a/docs/installation/nginx.md
+++ b/docs/installation/nginx.md
@@ -52,6 +52,11 @@ server {
     location ~ \.php$ {
         return 404;
     }
+    
+    # Set Content-Security-Policy for svg files, to block embedded javascript in there
+    location ~* \.svg$ {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";
+    }
 
     error_log /var/log/nginx/parts.error.log;
     access_log /var/log/nginx/parts.access.log;
diff --git a/public/.htaccess b/public/.htaccess
index ee3b5450..bfaab5de 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -118,3 +118,10 @@ DirectoryIndex index.php
         # RedirectTemp cannot be used instead
     </IfModule>
 </IfModule>
+
+# Set Content-Security-Policy for svg files (and compressed variants), to block embedded javascript in there
+<IfModule mod_headers.c>
+    <FilesMatch "\.(svg|svg\.gz|svg\.br)$">
+        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
+    </FilesMatch>
+</IfModule>
\ No newline at end of file