diff --git a/Dockerfile b/Dockerfile
index 2e21bcb883..3b716a8e8b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,6 +24,9 @@ RUN echo "{\"sha\": \"$(git rev-parse HEAD)\", \"version\": \"$(git describe --t
 FROM docker.io/nginx:1.25
 RUN mkdir /etc/nginx/templates
 COPY dockerconf/nginx.conf.template /etc/nginx/templates/default.conf.template
-COPY --from=build-stage /app/dist /usr/share/nginx/html
+COPY --from=build-stage /app/dist /usr/share/nginx/html/frontend
+# second index.html needed for the location /h5p/ in csp rules
+COPY --from=build-stage /app/dist /usr/share/nginx/html/h5p
+
 EXPOSE 4000
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/dockerconf/nginx.conf.template b/dockerconf/nginx.conf.template
index 6bd71e1a8f..6456d44bdb 100644
--- a/dockerconf/nginx.conf.template
+++ b/dockerconf/nginx.conf.template
@@ -4,6 +4,8 @@ server {
 
     set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}";
 
+    set $h5pcsp "default-src 'self'; base-uri 'self'; script-src  'nonce-$request_id' ${H5P_SCRIPT_SRC_URLS} 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}";
+
     location /status {
         stub_status;
     }
@@ -61,8 +63,22 @@ server {
         proxy_pass ${LEGACY_CLIENT_URL};
     }
 
+    location /h5p/ {
+        root   /usr/share/nginx/html/h5p;
+        index  index.html index.htm;
+        add_header Content-Security-Policy "${h5pcsp}";
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy 'same-origin';
+        add_header X-XSS-Protection '1; mode=block';
+        add_header X-Frame-Options 'SAMEORIGIN';
+        add_header Permissions-Policy 'fullscreen=(*), sync-xhr=(*), geolocation=(self), midi=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), payment=()';
+        sub_filter_once off;
+        sub_filter '**CSP_NONCE**' $request_id;
+        try_files $uri /index.html =404;
+    }
+
     location / {
-        root   /usr/share/nginx/html;
+        root   /usr/share/nginx/html/frontend;
         index  index.html index.htm;
         add_header Content-Security-Policy "${csp}";
         add_header X-Content-Type-Options nosniff;