diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/app.conf.template
index 9cc9b82c0..45ce66244 100644
--- a/docker/webserver/nginx_templates/app.conf.template
+++ b/docker/webserver/nginx_templates/app.conf.template
@@ -133,6 +133,14 @@ server {
         allow all;
     }
 
+    add_header 'X-Frame-Options' 'SAMEORIGIN' always;
+    add_header 'X-Content-Type-Options' 'nosniff' always;
+    add_header 'X-Clacks-Overhead' 'GNU Terry Pratchett' always;
+    add_header 'Referrer-Policy' 'same-origin' always;
+    add_header 'X-XSS-Protection' '1; mode=block' always;
+    add_header 'Strict-Transport-Security' 'max-age=31536000;' always;
+    add_header 'Content-Security-Policy' "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'" always;
+
     # redirect to no-www domainname
     location ~ /(.*) {
         return 301 https://${INTERNETNL_DOMAINNAME}$request_uri;