diff --git a/src/common/core/ui/confs/default-server-http/ui.conf b/src/common/core/ui/confs/default-server-http/ui.conf
index ae933eb80..f5547b9fa 100644
--- a/src/common/core/ui/confs/default-server-http/ui.conf
+++ b/src/common/core/ui/confs/default-server-http/ui.conf
@@ -36,19 +36,11 @@ location /setup/check {
     add_header 'Access-Control-Allow-Methods' 'GET' always;
     add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
     add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
-    default_type 'text/plain';
+    default_type 'text/plain; charset=utf-8';
     content_by_lua_block {
-        -- Override CSP header
-        ngx.header["Content-Security-Policy"] = "default-src 'none'; img-src 'self'; require-trusted-types-for 'script';"
-
         -- Remove server header
         ngx.header["Server"] = nil
 
-        -- Override HSTS header
-        if ngx.var.scheme == "https" then
-            ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
-        end
-
         local logger = require "bunkerweb.logger":new("UI")
         local args, err = ngx.req.get_uri_args(1)
         if err == "truncated" or not args["server_name"] or args["server_name"] == "" then
diff --git a/src/ui/main.py b/src/ui/main.py
index 1332bbfb9..556b5aa1d 100755
--- a/src/ui/main.py
+++ b/src/ui/main.py
@@ -405,8 +405,9 @@ def inject_variables():
 
 
 @app.after_request
-def set_csp_header(response):
-    """Set the Content-Security-Policy header to prevent XSS attacks."""
+def set_security_headers(response):
+    """Set the security headers."""
+    # * Content-Security-Policy header to prevent XSS attacks
     response.headers["Content-Security-Policy"] = (
         "object-src 'none';"
         + " frame-ancestors 'self';"
@@ -416,9 +417,26 @@ def set_csp_header(response):
         + " img-src 'self' data: https://assets.bunkerity.com;"
         + " font-src 'self' data:;"
         + " base-uri 'self';"
+        + " block-all-mixed-content;"
         + (" connect-src *;" if request.path.startswith(("/check", "/setup")) else "")
     )
 
+    if request.headers.get("X-Forwarded-Proto") == "https":
+        if not request.path.startswith("/setup/loading"):
+            response.headers["Content-Security-Policy"] += " upgrade-insecure-requests;"
+
+        # * Strict-Transport-Security header to force HTTPS if accessed via a reverse proxy
+        response.headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains; preload"
+
+    # * X-Frames-Options header to prevent clickjacking
+    response.headers["X-Frame-Options"] = "DENY"
+
+    # * X-Content-Type-Options header to prevent MIME sniffing
+    response.headers["X-Content-Type-Options"] = "nosniff"
+
+    # * Referrer-Policy header to prevent leaking of sensitive data
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+
     return response
 
 
@@ -617,6 +635,7 @@ def setup():
                 "REVERSE_PROXY_URL": request.form["ui_url"] or "/",
                 "INTERCEPTED_ERROR_CODES": "400 404 405 413 429 500 501 502 503 504",
                 "MAX_CLIENT_SIZE": "50m",
+                "KEEP_UPSTREAM_HEADERS": "Content-Security-Policy Strict-Transport-Security X-Frame-Options X-Content-Type-Options Referrer-Policy",
             }
 
             if request.form.get("auto_lets_encrypt", "no") == "yes":