diff --git a/apps/login/src/app/security/route.ts b/apps/login/src/app/security/route.ts
new file mode 100644
index 0000000000..e89a609e52
--- /dev/null
+++ b/apps/login/src/app/security/route.ts
@@ -0,0 +1,27 @@
+import { createServiceForHost, getServiceUrlFromHeaders } from "@/lib/service";
+import { Client } from "@zitadel/client";
+import { SettingsService } from "@zitadel/proto/zitadel/settings/v2/settings_service_pb";
+import { headers } from "next/headers";
+import { NextRequest, NextResponse } from "next/server";
+
+export async function GET(request: NextRequest) {
+  const _headers = await headers();
+  const { serviceUrl } = getServiceUrlFromHeaders(_headers);
+
+  const settingsService: Client<typeof SettingsService> =
+    await createServiceForHost(SettingsService, serviceUrl);
+
+  const settings = settingsService
+    .getSecuritySettings({})
+    .then((resp) => (resp.settings ? resp.settings : undefined));
+
+  const response = NextResponse.json({ settings }, { status: 200 });
+
+  // Add Cache-Control header to cache the response for up to 1 hour
+  response.headers.set(
+    "Cache-Control",
+    "public, max-age=3600, stale-while-revalidate=86400",
+  );
+
+  return response;
+}
diff --git a/apps/login/src/middleware.ts b/apps/login/src/middleware.ts
index 4ae8e2a47c..22dc143790 100644
--- a/apps/login/src/middleware.ts
+++ b/apps/login/src/middleware.ts
@@ -2,7 +2,6 @@ import { headers } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
 import { DEFAULT_CSP } from "../constants/csp";
 import { getServiceUrlFromHeaders } from "./lib/service";
-import { getSecuritySettings } from "./lib/zitadel";
 
 export const config = {
   matcher: [
@@ -26,8 +25,19 @@ export async function middleware(request: NextRequest) {
 
   console.log("defaultCSP", DEFAULT_CSP);
 
-  const securitySettings = await getSecuritySettings({ serviceUrl });
+  // Call the /security route handler
+  // TODO check this on cloud run deployment
+  const securityResponse = await fetch(`${request.nextUrl.origin}/security`);
 
+  if (!securityResponse.ok) {
+    console.error(
+      "Failed to fetch security settings:",
+      securityResponse.statusText,
+    );
+    return NextResponse.next(); // Fallback if the request fails
+  }
+
+  const { settings: securitySettings } = await securityResponse.json();
   console.log("securitySettings", securitySettings);
 
   const instanceHost = `${serviceUrl}`