diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml
index a4c5ce2..daace3e 100644
--- a/manifests/common/app.yaml
+++ b/manifests/common/app.yaml
@@ -5,6 +5,20 @@ metadata:
   name: app
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.org/location-snippets:
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers X-Frame-Options SAMEORIGIN;
+      more_set_headers X-Content-Type-Options nosniff;
+      more_set_headers X-XSS-Protection "1; mode=block";
+      more_set_headers Content-Security-Policy "frame-ancestors 'self'";
+
+    nginx.ingress.kubernetes.io/server-snippet: |
+      if ($request_uri = "/") {
+        more_set_headers "Cache-Control: no-cache";
+      }
+      if ($request_uri ~* "^/(config.*\.json|i18n|home|sites|index\.html)$") {
+        more_set_headers "Cache-Control: no-cache, no-store, must-revalidate";
+      }
 spec:
   ingressClassName: nginx
   tls: