diff --git a/api/helpers.py b/api/helpers.py
index fe16fb4..e1689df 100644
--- a/api/helpers.py
+++ b/api/helpers.py
@@ -39,6 +39,16 @@ def _security_headers(handler):
     handler.send_header('X-Content-Type-Options', 'nosniff')
     handler.send_header('X-Frame-Options', 'DENY')
     handler.send_header('Referrer-Policy', 'same-origin')
+    handler.send_header(
+        'Content-Security-Policy',
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; "
+        "img-src 'self' data:; font-src 'self' data:; connect-src 'self'; "
+        "base-uri 'self'; form-action 'self'"
+    )
+    handler.send_header(
+        'Permissions-Policy',
+        'camera=(), microphone=(), geolocation=()'
+    )
 
 
 def j(handler, payload, status: int=200) -> None: