diff --git a/nginx/snippets/headers.conf b/nginx/snippets/headers.conf
new file mode 100644
index 0000000..7f2b384
--- /dev/null
+++ b/nginx/snippets/headers.conf
@@ -0,0 +1,13 @@
+add_header Cache-Control "no-transform";
+add_header X-UA-Compatible "IE=Edge";
+add_header Strict-Transport-Security "max-age=15768000;";
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+add_header X-Download-Options noopen;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Permitted-Cross-Domain-Policies none;
+add_header Referrer-Policy strict-origin;
+add_header Content-Security-Policy "default-src 'self'; base-uri 'none'; object-src 'none'; manifest-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data: https:; connect-src 'self'; media-src 'self'; frame-ancestors 'self'; worker-src 'self' blob:"; 
+#add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'";
+add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";