diff --git a/Caddyfile b/Caddyfile
index 1921f60..098b46b 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,4 +1,9 @@
 localhost {
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Frame-Options "DENY"
+        X-Content-Type-Options "nosniff"
+    }
     handle /uploads/* {
         root * /srv
         file_server
diff --git a/app/src/middleware.ts b/app/src/middleware.ts
index da96832..e074ee2 100644
--- a/app/src/middleware.ts
+++ b/app/src/middleware.ts
@@ -4,6 +4,14 @@ import type { NextRequest } from 'next/server'
 export function middleware(request: NextRequest) {
   const response = NextResponse.next()
   response.headers.set('x-pathname', request.nextUrl.pathname)
+  response.headers.set('X-Frame-Options', 'DENY')
+  response.headers.set('X-Content-Type-Options', 'nosniff')
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
+  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
+  response.headers.set(
+    'Content-Security-Policy',
+    "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://api.stripe.com; frame-src https://js.stripe.com; frame-ancestors 'none'"
+  )
   return response
 }