diff --git a/doc/developers-guide/app-development/rest.md b/doc/developers-guide/app-development/rest.md
index 624e9fd0a794..27be01c7edb9 100644
--- a/doc/developers-guide/app-development/rest.md
+++ b/doc/developers-guide/app-development/rest.md
@@ -45,7 +45,10 @@ If `rest-port` is not specified, the plugin will disable itself.
 - --rest-port: Sets the REST server port to listen to (3010 is common)
 - --rest-protocol: Specifies the REST server protocol. Default is HTTPS.
 - --rest-host: Defines the REST server host. Default is 127.0.0.1.
-- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity (`client.pem` and `client-key.pem`) will be generated.
+- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity will be generated.
+- --rest-csp: Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks. 
+Default CSP is set as `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`.
+Example CSP: `rest-csp=default-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; style-src 'self'; script-src 'self';`.
 - --rest-cors-origins:   Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins. Example to define multiple origins:
 
 ```
diff --git a/doc/lightningd-config.5.md b/doc/lightningd-config.5.md
index 19f8f3aace49..17689262fce3 100644
--- a/doc/lightningd-config.5.md
+++ b/doc/lightningd-config.5.md
@@ -642,6 +642,9 @@ authenticate to the Tor control port.
 
   Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins.
 
+* **rest-csp**=*CSPOLICY*  [plugin `clnrest.py`]
+
+  Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks. Default CSP is `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`.
 
 ### Lightning Plugins