diff --git a/static/Caddyfile b/static/Caddyfile
index d144456..d7398aa 100644
--- a/static/Caddyfile
+++ b/static/Caddyfile
@@ -9,6 +9,7 @@ http://static-mat-services.fly.dev/ {
 
 :8080 {
   root * /var/www
+  encode gzip
   file_server
 
   handle_errors {
@@ -18,4 +19,26 @@ http://static-mat-services.fly.dev/ {
     rewrite @404 /404.html
     file_server
   }
+
+  header {
+    # disable FLoC tracking
+    Permissions-Policy interest-cohort=()
+    # enable HSTS
+    # currently ramping up max-age as per https://hstspreload.org/
+    Strict-Transport-Security max-age=300; includeSubDomains
+    # disable clients from sniffing the media type
+    X-Content-Type-Options nosniff
+    # clickjacking protection
+    X-Frame-Options DENY
+    # keep referrer data off of HTTP connections
+    Referrer-Policy strict-origin-when-cross-origin
+    # content security policy
+    Content-Security-Policy "default-src 'none';
+      img-src 'self';
+      style-src https://cdn.jsdelivr.net/;
+      frame-ancestors 'none';
+      base-uri 'none';
+      upgrade-insecure-requests;
+      sandbox allow-same-origin"
+  }
 }
\ No newline at end of file