diff --git a/src/main.rs b/src/main.rs
index cf2e832..f99857e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -7,7 +7,7 @@ use actix_diesel::dsl::AsyncRunQueryDsl;
 use actix_diesel::Database;
 use actix_web::error::InternalError;
 use actix_web::fs::{NamedFile, StaticFiles};
-use actix_web::http::header::{LOCATION, X_FRAME_OPTIONS};
+use actix_web::http::header::{CONTENT_SECURITY_POLICY, LOCATION, X_FRAME_OPTIONS};
 use actix_web::http::{Method, StatusCode};
 use actix_web::middleware::{DefaultHeaders, Logger};
 use actix_web::{server, App, AsyncResponder, Form, HttpResponse, Path, State};
@@ -191,7 +191,14 @@ fn main() -> io::Result<()> {
     server::new(move || {
         App::with_state(db.clone())
             .middleware(Logger::default())
-            .middleware(DefaultHeaders::new().header(X_FRAME_OPTIONS, "DENY"))
+            .middleware(
+                DefaultHeaders::new()
+                    .header(
+                        CONTENT_SECURITY_POLICY,
+                        "default-src 'self'; object-src 'none'",
+                    )
+                    .header(X_FRAME_OPTIONS, "DENY"),
+            )
             .resource("/", |r| {
                 r.method(Method::GET).with(index);
                 r.method(Method::POST).with(insert_paste);