diff --git a/.htaccess b/.htaccess
index 8c4ad374a80c..4f32bd70a54a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,11 @@
-ErrorDocument 404 /404.html
-
-<IfModule mod_headers.c>
-    Header set Content-Security-Policy "frame-src 'self' https://www.google.com https://app.netlify.com"
-</IfModule>
+ErrorDocument 404 /404.html
+
+<IfModule mod_headers.c>
+    Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; \
+    frame-src 'self' https://www.youtube.com https://player.bilibili.com https://hcaptcha.com https://*.hcaptcha.com; \
+    script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \
+    connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app; \
+    frame-ancestors 'self'; \
+    object-src 'none'; \
+    upgrade-insecure-requests;"
+</IfModule>
diff --git a/themes/docsy/layouts/partials/scripts.html b/themes/docsy/layouts/partials/scripts.html
index 77a58c48c827..5c27a612f6e4 100644
--- a/themes/docsy/layouts/partials/scripts.html
+++ b/themes/docsy/layouts/partials/scripts.html
@@ -59,5 +59,6 @@
 data-consent-screen-disclaimer="By clicking 'Allow tracking', you consent to anonymous user tracking which helps us improve our service. We don't collect any personally identifiable information."  
 data-consent-screen-accept-button-text="Allow tracking"  
 data-consent-screen-reject-button-text="No, thanks"
+data-bot-protection-mechanism="hcaptcha"
 ></script>
 {{ partial "hooks/body-end.html" . }}