@@ -22,6 +22,7 @@ "go.alanpearce.eu/homestead/templates"
 	"go.alanpearce.eu/x/log"
 
 	"github.com/benpate/digit"
+	"github.com/crewjam/csp"
 	"github.com/osdevisnot/sorvor/pkg/livereload"
 )
 
@@ -45,9 +46,28 @@ log          *log.Logger
 	reader       storage.Reader
 	me           digit.Resource
 	acctResource string
+	CSP          *csp.Header
 	*server.App
 }
 
+var CSPHeader = csp.Header{
+	DefaultSrc:             []string{"'none'"},
+	FormAction:             []string{"'none'"},
+	BaseURI:                []string{"'none'"},
+	ImgSrc:                 []string{"'self'"},
+	ScriptSrc:              []string{"'self'"},
+	StyleSrc:               []string{"'self'"},
+	FrameAncestors:         []string{"https://kagi.com"},
+	RequireTrustedTypesFor: []csp.RequireTrustedTypesFor{csp.RTTFScript},
+}
+
+var ExtraHeaders = map[string]string{
+	"Cache-Control":                "max-age=14400",
+	"X-Content-Type-Options":       "nosniff",
+	"Referrer-Policy":              "strict-origin-when-cross-origin",
+	"Cross-Origin-Resource-Policy": "same-site",
+}
+
 func New(
 	opts *Options,
 	log *log.Logger,
@@ -88,6 +108,11 @@ if err != nil {
 		return nil, errors.WithMessage(err, "could not set up fetcher")
 	}
 
+	if opts.Development {
+		CSPHeader.ScriptSrc = slices.Insert(CSPHeader.ScriptSrc, 0, "'unsafe-inline'")
+		CSPHeader.ConnectSrc = slices.Insert(CSPHeader.ConnectSrc, 0, "'self'")
+	}
+
 	firstUpdate := make(chan bool)
 	go func() {
 		updated := sync.OnceFunc(func() {
@@ -108,10 +133,6 @@ Menu:             cfg.Menu,
 				InjectLiveReload: opts.Development,
 			}
 
-			if opts.Development {
-				cfg.CSP.ScriptSrc = slices.Insert(cfg.CSP.ScriptSrc, 0, "'unsafe-inline'")
-				cfg.CSP.ConnectSrc = slices.Insert(cfg.CSP.ConnectSrc, 0, "'self'")
-			}
 			if opts.GoatcounterToken == "" {
 				if !opts.Development {
 					log.Warn("in production without a goatcounter token")