diff --git a/go.mod b/go.mod
index 0d432a86c..b4aecc9d1 100644
--- a/go.mod
+++ b/go.mod
@@ -37,6 +37,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.1
+	github.com/unrolled/secure v1.0.8
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8
 	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
diff --git a/go.sum b/go.sum
index d8650d928..a1aebb76f 100644
--- a/go.sum
+++ b/go.sum
@@ -375,6 +375,9 @@ github.com/syndtr/goleveldb v0.0.0-20181127023241-353a9fca669c/go.mod h1:Z4AUp2K
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v0.0.0-20171122102828-84cb69a8af83/go.mod h1:hnLbHMwcvSihnDhEfx2/BzKp2xb0Y+ErdfYcrs9tkJQ=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/unrolled/secure v1.0.8 h1:JaMvKbe4CRt8oyxVXn+xY+6jlqd7pyJNSVkmsBxxQsM=
+github.com/unrolled/secure v1.0.8/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI=
+github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
 github.com/wader/tag v0.0.0-20200426234345-d072771f6a51 h1:WAxntH7YQD6fIboAvewi7eU+2PQ7Y1K9OOXh67CM4bY=
 github.com/wader/tag v0.0.0-20200426234345-d072771f6a51/go.mod h1:f3YqVk9PEeVf7T4JQ2+TdRqqjTg2fkaROZv0EMQOuKo=
 github.com/wendal/errors v0.0.0-20130201093226-f66c77a7882b/go.mod h1:Q12BUT7DqIlHRmgv3RskH+UCM/4eqVMgI0EMmlSpAXc=
diff --git a/server/middlewares.go b/server/middlewares.go
index 92f8d8926..6b72861ff 100644
--- a/server/middlewares.go
+++ b/server/middlewares.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/deluan/navidrome/log"
 	"github.com/go-chi/chi/middleware"
+	"github.com/unrolled/secure"
 )
 
 func requestLogger(next http.Handler) http.Handler {
@@ -46,6 +47,14 @@ func requestLogger(next http.Handler) http.Handler {
 	})
 }
 
+func injectLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
 func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -58,3 +67,14 @@ func robotsTXT(fs http.FileSystem) func(next http.Handler) http.Handler {
 		})
 	}
 }
+
+func secureMiddleware() func(h http.Handler) http.Handler {
+	sec := secure.New(secure.Options{
+		ContentTypeNosniff:    true,
+		FrameDeny:             true,
+		ReferrerPolicy:        "same-origin",
+		FeaturePolicy:         "autoplay 'none'; camera: 'none'; display-capture 'none'; microphone: 'none'; usb: 'none'",
+		ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
+	})
+	return sec.Handler
+}
diff --git a/server/server.go b/server/server.go
index 50806d775..82945527a 100644
--- a/server/server.go
+++ b/server/server.go
@@ -53,6 +53,7 @@ func (a *Server) Run(addr string) {
 func (a *Server) initRoutes() {
 	r := chi.NewRouter()
 
+	r.Use(secureMiddleware())
 	r.Use(cors.AllowAll().Handler)
 	r.Use(middleware.RequestID)
 	r.Use(middleware.RealIP)
@@ -88,11 +89,3 @@ func (a *Server) initScanner() {
 		}
 	}()
 }
-
-func injectLogger(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
-		ctx = log.NewContext(r.Context(), "requestId", ctx.Value(middleware.RequestIDKey))
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
-}