diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
index 43707c1..3c80351 100644
--- a/docker/server/Dockerfile
+++ b/docker/server/Dockerfile
@@ -5,6 +5,7 @@ RUN addgroup web && adduser -D -G web web && install -d -D -o web -g web -m 700
 RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
 
 COPY --chown=web:web docker/server/nginx.conf /srv/http
+COPY --chown=web:web docker/server/headers.include /srv/http
 COPY --chown=web:web static/ /srv/http/public/
 
 ENTRYPOINT ["/usr/sbin/nginx", "-c", "/srv/http/nginx.conf", "-e", "stderr", "-g", "daemon off;"]
diff --git a/docker/server/headers.include b/docker/server/headers.include
new file mode 100644
index 0000000..ffb49b9
--- /dev/null
+++ b/docker/server/headers.include
@@ -0,0 +1,12 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
diff --git a/docker/server/nginx.conf b/docker/server/nginx.conf
index 61a40e8..a45cc67 100644
--- a/docker/server/nginx.conf
+++ b/docker/server/nginx.conf
@@ -19,6 +19,8 @@ http {
     sendfile on;
     tcp_nopush on;
 
+    include headers.include;
+
     server {
         listen 8080;
         root /srv/http/public;