diff --git a/app/config.py b/app/config.py
index 27e7ffb..36ff073 100644
--- a/app/config.py
+++ b/app/config.py
@@ -109,6 +109,8 @@ class Config(pydantic.BaseModel):
 
     inbox_retention_days: int = 15
 
+    custom_content_security_policy: str | None = None
+
     # Config items to make tests easier
     sqlalchemy_database: str | None = None
     key_path: str | None = None
@@ -165,6 +167,7 @@ if CONFIG.privacy_replace:
 
 BLOCKED_SERVERS = {blocked_server.hostname for blocked_server in CONFIG.blocked_servers}
 ALSO_KNOWN_AS = CONFIG.also_known_as
+CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy
 
 INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days
 CUSTOM_FOOTER = (
diff --git a/app/main.py b/app/main.py
index 0829167..37e1ab8 100644
--- a/app/main.py
+++ b/app/main.py
@@ -137,9 +137,15 @@ class CustomMiddleware:
                 headers["x-frame-options"] = "DENY"
                 headers["permissions-policy"] = "interest-cohort=()"
                 headers["content-security-policy"] = (
-                    f"default-src 'self'; "
-                    f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
-                    f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
+                    (
+                        f"default-src 'self'; "
+                        f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
+                        f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
+                    )
+                    if not config.CUSTOM_CONTENT_SECURITY_POLICY
+                    else config.CUSTOM_CONTENT_SECURITY_POLICY.format(
+                        HIGHLIGHT_CSS_HASH=HIGHLIGHT_CSS_HASH
+                    )
                 )
                 if not DEBUG:
                     headers["strict-transport-security"] = "max-age=63072000;"
diff --git a/docs/user_guide.md b/docs/user_guide.md
index 578bf08..51ad9c1 100644
--- a/docs/user_guide.md
+++ b/docs/user_guide.md
@@ -131,9 +131,19 @@ See `app/scss/main.scss` to see what variables can be overridden.
 
 If you'd like to customize your instance's theme beyond CSS, you can modify the app's HTML by placing templates in `data/templates` which overwrite the defaults in `app/templates`.
 
+#### Custom Content Security Policy (CSP)
+
+You can override the default Content Security Policy by adding a line in `data/profile.toml`:
+
+```toml
+custom_content_security_policy = "default-src 'self'; style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
+```
+
+This example will output the default CSP, note that `{HIGHLIGHT_CSS_HASH}` will be dynamically replaced by the correct value (the hash of the CSS needed for syntax highlighting).
+
 #### Code highlighting theme
 
-You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `profile.toml`:
+You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `data/profile.toml`:
 
 ```toml
 code_highlighting_theme = "solarized-dark"