diff --git a/packages/core/strapi/lib/middlewares/security.js b/packages/core/strapi/lib/middlewares/security.js
index 88dc7dedf8..6527d59276 100644
--- a/packages/core/strapi/lib/middlewares/security.js
+++ b/packages/core/strapi/lib/middlewares/security.js
@@ -35,13 +35,14 @@ module.exports =
   (config, { strapi }) =>
   (ctx, next) => {
     let helmetConfig = defaultsDeep(defaults, config);
-    const { config: gqlConfig } = strapi.plugin('graphql');
-    const gqlEndpoint = gqlConfig('endpoint');
+    const specialPaths = ['/documentation'];
 
-    if (
-      ctx.method === 'GET' &&
-      [gqlEndpoint, '/documentation'].some((str) => ctx.path.startsWith(str))
-    ) {
+    if (strapi.plugin('graphql')) {
+      const { config: gqlConfig } = strapi.plugin('graphql');
+      specialPaths.push(gqlConfig('endpoint'));
+    }
+
+    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {
       helmetConfig = merge(helmetConfig, {
         contentSecurityPolicy: {
           directives: {