--- a/cmd/gemma/main.go	Tue Nov 05 14:31:22 2019 +0100
+++ b/cmd/gemma/main.go	Wed Nov 06 18:00:50 2019 +0100
@@ -67,7 +67,15 @@
 	m := mux.NewRouter()
 	controllers.BindRoutes(m)
 
-	m.PathPrefix("/").Handler(http.FileServer(http.Dir(web)))
+	dir := http.FileServer(http.Dir(web))
+
+	xframes := http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
+		res.Header().Set("X-Frame-Options", "sameorigin")
+		res.Header().Set("X-Content-Type-Options", "nosniff")
+		dir.ServeHTTP(res, req)
+	})
+
+	m.PathPrefix("/").Handler(xframes)
 
 	addr := fmt.Sprintf("%s:%d", config.WebHost(), config.WebPort())
 	log.Printf("info: listen on %s\n", addr)

--- a/pkg/controllers/proxy.go	Tue Nov 05 14:31:22 2019 +0100
+++ b/pkg/controllers/proxy.go	Wed Nov 06 18:00:50 2019 +0100
@@ -153,6 +153,8 @@
 
 	return func(resp *http.Response) error {
 
+		resp.Header.Set("X-Content-Type-Options", "nosniff")
+
 		if !isXML(resp.Header) {
 			return nil
 		}

--- a/pkg/middleware/jsonhandler.go	Tue Nov 05 14:31:22 2019 +0100
+++ b/pkg/middleware/jsonhandler.go	Wed Nov 06 18:00:50 2019 +0100
@@ -183,6 +183,8 @@
 	if jr.Code != http.StatusNoContent {
 		rw.Header().Set("Content-Type", "application/json")
 	}
+	rw.Header().Set("X-Content-Type-Options", "nosniff")
+
 	rw.WriteHeader(jr.Code)
 	if jr.Code != http.StatusNoContent {
 		var err error
@@ -201,6 +203,7 @@
 // with a given HTTP status code.
 func SendJSON(rw http.ResponseWriter, code int, data interface{}) {
 	rw.Header().Set("Content-Type", "application/json")
+	rw.Header().Set("X-Content-Type-Options", "nosniff")
 	rw.WriteHeader(code)
 	if err := json.NewEncoder(rw).Encode(data); err != nil {
 		log.Printf("error: %v\n", err)