diff --git a/index.js b/index.js
index a09f0ec..d216bd6 100644
--- a/index.js
+++ b/index.js
@@ -12,6 +12,23 @@ app.use(cloudflare.restore());
 app.use(express.json());
 app.use(favicon(__dirname + "/views/favicon.ico"));
 
+// Set security headers
+app.use((req, res, next) => {
+  // Content-Security-Policy
+  res.setHeader(
+    "Content-Security-Policy",
+    "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';"
+  );
+
+  // X-Frame-Options
+  res.setHeader("X-Frame-Options", "SAMEORIGIN");
+
+  // Referrer-Policy
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+
+  next();
+});
+
 // App Configuration
 app.set("views", path.join(__dirname, "views"));
 app.set("view engine", "pug");
@@ -27,6 +44,12 @@ app.get("/", (req, res) => {
   res.render("index", { title: "YetAnotherWhatsMyIP", message: `${ip}` });
 });
 
+// Serve security.txt
+app.use(
+  "/.well-known",
+  express.static(path.join(__dirname, "public", ".well-known"))
+);
+
 // 404
 app.use(function (req, res, next) {
   res.status(404).send(res.render("404", { title: "404" }));
diff --git a/public/.well-known/security.txt b/public/.well-known/security.txt
new file mode 100644
index 0000000..ae98b18
--- /dev/null
+++ b/public/.well-known/security.txt
@@ -0,0 +1,2 @@
+Contact: mailto:security@altan.me
+Expires: 2024-12-31T19:00:00.000Z