diff --git a/internal/router/router.go b/internal/router/router.go
index 4ced710..9c35eec 100644
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -83,6 +83,7 @@ func (r *Router) initRoutes() {
 
 	n := negroni.Classic()
 	n.Use(negroni.HandlerFunc(CORS))
+	n.Use(negroni.HandlerFunc(Secure))
 
 	r.router.PathPrefix("/api").Handler(n.With(
 		negroni.HandlerFunc(Auth),
@@ -90,6 +91,7 @@ func (r *Router) initRoutes() {
 	))
 
 	r.router.PathPrefix("/auth").Handler(n.With(
+
 		negroni.HandlerFunc(LimitHandler()),
 		negroni.Wrap(authRouter),
 	))
diff --git a/internal/router/secure.go b/internal/router/secure.go
new file mode 100644
index 0000000..0a8384a
--- /dev/null
+++ b/internal/router/secure.go
@@ -0,0 +1,34 @@
+package router
+
+import (
+	"net/http"
+)
+
+// Secure ...
+func Secure(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	// X-XSS-Protection
+	w.Header().Add("X-XSS-Protection", "1; mode=block")
+
+	// HTTP Strict Transport Security
+	w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
+
+	// X-Frame-Options
+	w.Header().Add("X-Frame-Options", "SAMEORIGIN")
+
+	// X-Content-Type-Options
+	w.Header().Add("X-Content-Type-Options", "nosniff")
+
+	// Content Security Policy
+	w.Header().Add("Content-Security-Policy", "default-src 'self';")
+
+	// X-Permitted-Cross-Domain-Policies
+	w.Header().Add("X-Permitted-Cross-Domain-Policies", "none")
+
+	// Referrer-Policy
+	w.Header().Add("Referrer-Policy", "no-referrer")
+
+	// Feature-Policy
+	w.Header().Add("Feature-Policy", "microphone 'none'; camera 'none'")
+
+	next(w, r)
+}