diff --git a/apps/base/nextcloud/release.yaml b/apps/base/nextcloud/release.yaml
index d196200d8a7c5b92244fef2bf7e51ae0d41b6076..9a78fedba0104e4e09d3b5ccec1969038551bb89 100644
--- a/apps/base/nextcloud/release.yaml
+++ b/apps/base/nextcloud/release.yaml
@@ -108,6 +108,11 @@ data:
           location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
             deny all;
           }
+        nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+        nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
+        nginx.ingress.kubernetes.io/modsecurity-snippet: |
+            SecRuleEngine On
+            Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
     persistence:
       enabled: true
     resources: