diff --git a/README.md b/README.md
index 479e72e..209e0e6 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ _hastatic_ is a very small web server for serving static files from a Docker con
 - Supports custom index files for URLs ending with "/".
 - Takes care to not serve hidden files.
 - Adds caching headers automatically.
+- Adds security headers automatically.
 - Caches file descriptors and info for better performance.
 
 ## Usage
diff --git a/src/Main.hs b/src/Main.hs
index 08ab8af..127b33d 100644
--- a/src/Main.hs
+++ b/src/Main.hs
@@ -24,6 +24,14 @@ import Paths_hastatic (version)
 
 data TLS = Okay TLS.TLSSettings | Error String | None
 
+addSecureHeaders :: Middleware
+addSecureHeaders = modifyResponse $ mapResponseHeaders (++ secureHeaders)
+  where
+    secureHeaders = [ ("Referrer-Policy", "strict-origin-when-cross-origin")
+                    , ("X-Frame-Options", "SAMEORIGIN")
+                    , ("X-XSS-Protection", "1; mode=block")
+                    ]
+
 indexHTML :: T.Text -> Middleware
 indexHTML indexFile app req respond =
   let path = pathInfo req
@@ -55,6 +63,7 @@ application excludedPaths = do
   indexFile    <- T.pack . fromMaybe "index.html" <$> lookupEnv "IDX_FILE"
   cache        <- initCaching PublicStaticCaching
   return
+    . addSecureHeaders
     . indexHTML indexFile
     . staticPolicy' cache polcy
     . notFoundHandler