diff --git a/go.mod b/go.mod
index b87adf0..6322def 100644
--- a/go.mod
+++ b/go.mod
@@ -30,7 +30,8 @@ require (
 	github.com/spf13/cast v1.3.1
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.7.1
-	github.com/tdewolff/minify/v2 v2.9.7
+	github.com/tdewolff/minify/v2 v2.9.8
+	github.com/tdewolff/parse/v2 v2.5.5 // indirect
 	github.com/vcraescu/go-paginator v0.0.0-20200923074551-426b20f3ae8a
 	github.com/yuin/goldmark v1.2.1
 	github.com/yuin/goldmark-emoji v1.0.1
diff --git a/go.sum b/go.sum
index 08f0af9..b3f1cf2 100644
--- a/go.sum
+++ b/go.sum
@@ -272,10 +272,12 @@ github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/tdewolff/minify/v2 v2.9.7 h1:r8ewdcX8VYUoNj+s9WSy4FtNNNqNPevWOkb/MksAtzQ=
-github.com/tdewolff/minify/v2 v2.9.7/go.mod h1:AcJ/ggtHex5N/QiafLI8rlIO3qwSlgbPNLi27VZSYz8=
+github.com/tdewolff/minify/v2 v2.9.8 h1:BzGEqnHOWKgF8HUuXin+MuuWOAR4s4xFcZS1qydnsQg=
+github.com/tdewolff/minify/v2 v2.9.8/go.mod h1:AcJ/ggtHex5N/QiafLI8rlIO3qwSlgbPNLi27VZSYz8=
 github.com/tdewolff/parse/v2 v2.5.4 h1:ggaQ1SVE8wErRrZwUs49I6iQ1zL/tFlb7KtYsk2I8Yk=
 github.com/tdewolff/parse/v2 v2.5.4/go.mod h1:WzaJpRSbwq++EIQHYIRTpbYKNA3gn9it1Ik++q4zyho=
+github.com/tdewolff/parse/v2 v2.5.5 h1:b7ICJa4I/54JQGEGgTte8DiyJPKcC5g8V773QMzkeUM=
+github.com/tdewolff/parse/v2 v2.5.5/go.mod h1:WzaJpRSbwq++EIQHYIRTpbYKNA3gn9it1Ik++q4zyho=
 github.com/tdewolff/test v1.0.6 h1:76mzYJQ83Op284kMT+63iCNCI7NEERsIN8dLM+RiKr4=
 github.com/tdewolff/test v1.0.6/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
diff --git a/http.go b/http.go
index db63a26..87b58f2 100644
--- a/http.go
+++ b/http.go
@@ -44,7 +44,7 @@ func startServer() (err error) {
 		tlsConfig := certManager.TLSConfig()
 		server := http.Server{
 			Addr:      ":https",
-			Handler:   d,
+			Handler:   securityHeaders(d),
 			TLSConfig: tlsConfig,
 		}
 		go http.ListenAndServe(":http", certManager.HTTPHandler(nil))
@@ -205,6 +205,18 @@ func buildHandler() (http.Handler, error) {
 	return r, nil
 }
 
+func securityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("Strict-Transport-Security", "max-age=31536000;")
+		w.Header().Add("Referrer-Policy", "no-referrer")
+		w.Header().Add("X-Content-Type-Options", "nosniff")
+		w.Header().Add("X-Frame-Options", "SAMEORIGIN")
+		w.Header().Add("X-Xss-Protection", "1; mode=block")
+		// TODO: Add CSP
+		next.ServeHTTP(w, r)
+	})
+}
+
 type dynamicHandler struct {
 	realHandler http.Handler
 	changeMutex *sync.Mutex