diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
index 4be198227c..67cbb98107 100644
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -1,13 +1,21 @@
 import { collectEvents } from "next-collect/server";
 import { NextMiddleware, NextResponse, userAgent } from "next/server";
 
-import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL, IS_SELF_HOSTED } from "@calcom/lib/constants";
 import { isIpInBanlist } from "@calcom/lib/getIP";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
 
 const middleware: NextMiddleware = async (req) => {
   const url = req.nextUrl;
 
+  //TODO: Might be a good idea to extract out all conditions where IS_SELF_HOSTED is handled in a Cal.config.ts file, so that self hosters can also enable this features just by modifying that config
+  if (url.pathname.startsWith("/auth/login") && !IS_SELF_HOSTED) {
+    console.log("Redirecting to login page");
+    const response = NextResponse.next();
+    response.headers.set("X-Frame-Options", "SAMEORIGIN");
+    return response;
+  }
+
   if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
     const callbackUrl = url.searchParams.get("callbackUrl");
     const { isBot } = userAgent(req);
@@ -40,7 +48,13 @@ const middleware: NextMiddleware = async (req) => {
 };
 
 export const config = {
-  matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
+  matcher: [
+    "/api/collect-events/:path*",
+    "/api/auth/:path*",
+    "/apps/routing_forms/:path*",
+    "/:path*/embed",
+    "/auth/login",
+  ],
 };
 
 export default collectEvents({
diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index ebb886540f..cb13db7121 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -263,28 +263,27 @@ const nextConfig = {
     return redirects;
   },
   async headers() {
-    const ContentSecurityPolicy = `
+    const ContentSecurityPolicyForCalHosted = `
       default-src 'self';
       script-src 'self';
       child-src app.cal.com;
       style-src 'self' app.cal.com;
       font-src 'self';  
     `;
-    return [
-      {
+    const redirects = [];
+
+    if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") {
+      redirects.push({
         source: "/:path*",
         headers: [
-          {
-            key: "X-Frame-Options",
-            value: "SAMEORIGIN",
-          },
           {
             key: "Content-Security-Policy",
-            value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
+            value: ContentSecurityPolicyForCalHosted.replace(/\s{2,}/g, " ").trim(),
           },
         ],
-      },
-    ];
+      });
+    }
+    return redirects;
   },
 };