diff --git a/nginx.conf b/nginx.conf
index 4b3b8f9..d72ef08 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,6 +40,12 @@ server {
   sub_filter_once on;
   sub_filter_last_modified on;
 
+  # Set sensible headers
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header Referrer-Policy "no-referrer-when-downgrade" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content" always;
+
   # Expose WebDAV on a sub-path
   location /.dav/ {
     alias /srv/;