diff --git a/production/nginx.conf b/production/nginx.conf
index e57270ee9..edbb0fdad 100644
--- a/production/nginx.conf
+++ b/production/nginx.conf
@@ -141,6 +141,24 @@ http {
 		index index.html index.htm index.nginx-debian.html;
 		server_name mempool.space; # managed by Certbot
 
+		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+		set $frameOptions "DENY";
+		set $contentSecurityPolicy "frame-ancestors 'none'";
+		if ($http_referer ~ ^https://mempool.space/)
+		{
+			set $frameOptions "ALLOW-FROM https://mempool.space";
+			set $contentSecurityPolicy "ALLOW-FROM https://mempool.space";
+		}
+		if ($http_referer ~ ^https://wiz.biz/)
+		{
+			set $frameOptions "ALLOW-FROM https://wiz.biz";
+			set $contentSecurityPolicy "ALLOW-FROM https://wiz.biz";
+		}
+
+		add_header X-Frame-Options $frameOptions;
+		add_header Content-Security-Policy $contentSecurityPolicy;
+
 		location / {
 			try_files $uri $uri/ /index.html =404;
 		}