diff --git a/apps/searxng/app/route.yaml b/apps/searxng/app/route.yaml
index 4a49c16..60798a4 100644
--- a/apps/searxng/app/route.yaml
+++ b/apps/searxng/app/route.yaml
@@ -9,6 +9,9 @@ spec:
   routes:
   - match: Host(`search.trivernis.dev`) || Host(`search.trivernis.net`)
     kind: Rule
+    middlewares:
+      - name: strict-security-headers
+        namespace: default
     services:
     - name: searxng-srv
       port: 8080
diff --git a/apps/tandoor/app/route.yaml b/apps/tandoor/app/route.yaml
index 7794e9b..686f82c 100644
--- a/apps/tandoor/app/route.yaml
+++ b/apps/tandoor/app/route.yaml
@@ -1,4 +1,17 @@
 apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: default
+spec:
+  headers:
+    stsSeconds: 15768000
+    contentTypeNosniff: true
+    browserXssFilter: true
+    referrerPolicy: same-origin
+    customFrameOptionsValue: SAMEORIGIN
+---
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: recipes-route
@@ -9,11 +22,17 @@ spec:
   routes:
   - match: (Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)) && (Path(`/media`) || Path(`/static`))
     kind: Rule
+    middlewares:
+      - name: security-headers
+        namespace: default
     services:
     - name: tandoor
       port: 80
   - match: Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)
     kind: Rule
+    middlewares:
+      - name: security-headers
+        namespace: default
     services:
     - name: tandoor
       port: 8080
\ No newline at end of file
diff --git a/apps/traefik/app.yaml b/apps/traefik/app.yaml
index 5fd99f5..c6906a4 100644
--- a/apps/traefik/app.yaml
+++ b/apps/traefik/app.yaml
@@ -5,3 +5,5 @@ metadata:
   name: traefik
 resources:
   - app/traefik-config.yaml
+  - app/security-headers.yaml
+  - app/strict-security-headers.yaml
diff --git a/apps/traefik/app/security-headers.yaml b/apps/traefik/app/security-headers.yaml
new file mode 100644
index 0000000..d6dbd48
--- /dev/null
+++ b/apps/traefik/app/security-headers.yaml
@@ -0,0 +1,17 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: default
+spec:
+  headers:
+    stsSeconds: 15768000
+    contentTypeNosniff: true
+    browserXssFilter: true
+    referrerPolicy: same-origin
+    customFrameOptionsValue: SAMEORIGIN
+
+    customResponseHeaders:
+      X-Robots-Tag: noindex,nofollow
+      X-Download-Options: noopen
+      X-Powered-By: coffee X-Powered-By
\ No newline at end of file
diff --git a/apps/traefik/app/strict-security-headers.yaml b/apps/traefik/app/strict-security-headers.yaml
new file mode 100644
index 0000000..fbd682c
--- /dev/null
+++ b/apps/traefik/app/strict-security-headers.yaml
@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: strict-security-headers
+  namespace: default
+spec:
+  headers:
+    stsSeconds: 15768000
+    contentTypeNosniff: true
+    browserXssFilter: true
+    referrerPolicy: no-referrer
+    frameDeny: true
+
+    customResponseHeaders:
+      X-Robots-Tag: noindex,nofollow
+      X-Download-Options: noopen
+      X-Permitted-Cross-Domain-Policies: none
+      X-Powered-By: coffee X-Powered-By
\ No newline at end of file