diff --git a/afpy.org.yml b/afpy.org.yml
index 7440a46..e1dfe83 100644
--- a/afpy.org.yml
+++ b/afpy.org.yml
@@ -273,6 +273,8 @@
           {
               listen [::]:443 ssl http2; listen 443 ssl http2;
               server_name photos.afpy.org;
+              add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; script-src 'self'; frame-ancestors 'self'";
+              add_header X-Content-Type-Options "nosniff";
               include snippets/letsencrypt-photos.afpy.org.conf;
               root /var/www/photos.afpy.org/;
           }