diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 443d2e514..1c2854f73 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -90,6 +90,14 @@ Match Group sftp.main,!ssh.main
     # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
     PermitUserRC no
 
+Match Group sftp.app,!ssh.app
+    ForceCommand internal-sftp
+    ChrootDirectory %h
+    AllowTcpForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    PermitUserRC no
+    PasswordAuthentication yes
 
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and