diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 3d7c3ced7..3e9f17bf4 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3400,6 +3400,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 				   line, pos);
 			return 1;
 		}
+	} else if (os_strcmp(buf, "beacon_prot") == 0) {
+		bss->beacon_prot = atoi(pos);
 	} else if (os_strcmp(buf, "assoc_sa_query_max_timeout") == 0) {
 		bss->assoc_sa_query_max_timeout = atoi(pos);
 		if (bss->assoc_sa_query_max_timeout == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 395ddfa00..0433fed8a 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1678,6 +1678,12 @@ own_ip_addr=127.0.0.1
 # available in deployed devices.
 #group_mgmt_cipher=AES-128-CMAC
 
+# Beacon Protection (management frame protection for Beacon frames)
+# This depends on management frame protection being enabled (ieee80211w != 0).
+# 0 = disabled (default)
+# 1 = enabled
+#beacon_prot=0
+
 # Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
 # (maximum time to wait for a SA Query response)
 # dot11AssociationSAQueryMaximumTimeout, 1...4294967295
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index e603605b1..ca9ae14cd 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -349,6 +349,7 @@ struct hostapd_bss_config {
 	int wpa_key_mgmt;
 	enum mfp_options ieee80211w;
 	int group_mgmt_cipher;
+	int beacon_prot;
 	/* dot11AssociationSAQueryMaximumTimeout (in TUs) */
 	unsigned int assoc_sa_query_max_timeout;
 	/* dot11AssociationSAQueryRetryTimeout (in TUs) */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 437719b17..c066d9979 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -188,6 +188,7 @@ struct wpa_auth_config {
 	int okc;
 	int tx_status;
 	enum mfp_options ieee80211w;
+	int beacon_prot;
 	int group_mgmt_cipher;
 	int sae_require_mfp;
 #ifdef CONFIG_OCV
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 894c1a1b2..7dc4c8e6b 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -67,6 +67,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 #endif /* CONFIG_OCV */
 	wconf->okc = conf->okc;
 	wconf->ieee80211w = conf->ieee80211w;
+	wconf->beacon_prot = conf->beacon_prot;
 	wconf->group_mgmt_cipher = conf->group_mgmt_cipher;
 	wconf->sae_require_mfp = conf->sae_require_mfp;
 #ifdef CONFIG_IEEE80211R_AP