diff --git a/Build.PL b/Build.PL
index 38c5c02e..ef2a2534 100644
--- a/Build.PL
+++ b/Build.PL
@@ -71,6 +71,7 @@ Module::Build->new(
     'Plack::Handler::Twiggy' => '0',
     'Plack::Middleware::Debug' => '0',
     'Plack::Middleware::Expires' => '0.03',
+    'Plack::Middleware::Headers' => '0',
     'Plack::Middleware::ReverseProxy' => '0.15',
     'Pod::Usage' => 0,
     'Regexp::Common' => 2017060201,
diff --git a/bin/netdisco-web-fg b/bin/netdisco-web-fg
index 91b894e2..d46c4fc9 100755
--- a/bin/netdisco-web-fg
+++ b/bin/netdisco-web-fg
@@ -31,6 +31,12 @@ BEGIN {
 
 set plack_middlewares => [
   ['Plack::Middleware::ReverseProxy'],
+  [ Headers => (
+      set => ['X-Frame-Options' => setting('HTTP-Header-X-Frame-Options')],
+  )],
+  [ Headers => (
+      set => ['Content-Security-Policy' => setting('HTTP-Header-Content-Security-Policy')],
+  )],
   [ Expires => (
       content_type => [qr{^application/javascript}, qr{^text/css}, qr{image}, qr{font}],
       expires => 'access plus 1 day',
diff --git a/share/config.yml b/share/config.yml
index c5c805dc..9c75059f 100644
--- a/share/config.yml
+++ b/share/config.yml
@@ -533,3 +533,6 @@ template: 'netdisco_template_toolkit'
 route_cache: true
 appname: 'Netdisco'
 behind_proxy: false
+HTTP-Header-X-Frame-Options: 'DENY'
+HTTP-Header-Content-Security-Policy: 'none'
+