diff --git a/README.md b/README.md
index bbf83b8..613c49b 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,11 @@ Example variables
   wikijs_db_password: 'please-vault-this-too'
   wikijs_custom_css:
   - custom.css
+  wikijs_custom_hsts_stsSeconds : "31536000"
+  wikijs_custom_hsts_stsIncludeSubdomains : true
+  wikijs_custom_hsts_stsPreload : true
+  wikijs_custom_hsts_forceSTSHeader : true
+  wikijs_custom_csp : "default-src 'self' 'unsafe-inline' data: https://www.test.com https://www.test2.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.test.com;"
 
   pgadmin_domain: 'pgadmin.example.com'
   pgadmin_email: 'admin@example.com'
diff --git a/templates/compose/wikijs.yml.j2 b/templates/compose/wikijs.yml.j2
index 57b7041..a774def 100644
--- a/templates/compose/wikijs.yml.j2
+++ b/templates/compose/wikijs.yml.j2
@@ -38,6 +38,8 @@ services:
     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
     volumes:
       - wikijs_db__var_lib_mysql:/var/lib/mysql
+    ports:
+      - {{ wikijs_db_port | default("3306") }}:3306
     environment:
       - MYSQL_ROOT_PASSWORD=$DB_ROOT_PASSWORD
       - MYSQL_DATABASE=$DB_NAME
@@ -83,3 +85,25 @@ services:
       traefik.http.routers.wikijs.tls.certresolver: letsencrypt
       traefik.http.routers.wikijs.entrypoints: "websecure"
       com.centurylinklabs.watchtower.enable: true
+{% if wikijs_custom_hsts_stsSeconds is defined
+   and wikijs_custom_hsts_stsIncludeSubdomains is defined
+   and wikijs_custom_hsts_stsPreload is defined
+   and wikijs_custom_hsts_forceSTSHeader is defined %}
+      # HSTS
+      traefik.http.middlewares.mw-security-headers.headers.stsSeconds: "{{ wikijs_custom_hsts_stsSeconds }}"
+      traefik.http.middlewares.mw-security-headers.headers.stsIncludeSubdomains: "{{ wikijs_custom_hsts_stsIncludeSubdomains }}"
+      traefik.http.middlewares.mw-security-headers.headers.stsPreload: "{{ wikijs_custom_hsts_stsPreload }}"
+      traefik.http.middlewares.mw-security-headers.headers.forceSTSHeader: "{{ wikijs_custom_hsts_forceSTSHeader }}"
+{% endif %}
+{% if wikijs_custom_csp is defined %}
+      # CSP
+      traefik.http.middlewares.mw-security-headers.headers.contentSecurityPolicy: "{{ wikijs_custom_csp }}"
+{% endif %}
+{% if (wikijs_custom_hsts_stsSeconds is defined
+   and wikijs_custom_hsts_stsIncludeSubdomains is defined
+   and wikijs_custom_hsts_stsPreload is defined
+   and wikijs_custom_hsts_forceSTSHeader is defined)
+   or wikijs_custom_csp is defined %}
+      # application du middleware security-headers
+      traefik.http.routers.wikijs.middlewares: "mw-security-headers"
+{% endif %}
\ No newline at end of file