diff --git a/frontend/nuxt.config.js b/frontend/nuxt.config.js
index e72c3de..7b393b4 100644
--- a/frontend/nuxt.config.js
+++ b/frontend/nuxt.config.js
@@ -120,6 +120,7 @@ export default {
      ** Build configuration
      */
     build: {
+        extractCSS: true,
         /*
          ** You can extend webpack config here
          */
diff --git a/nginx/server.conf b/nginx/server.conf
index 3792a75..4914024 100644
--- a/nginx/server.conf
+++ b/nginx/server.conf
@@ -24,6 +24,17 @@ server {
     location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # FIXME disable inlines in webpack
+        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://cdn.jsdelivr.net;";
+
+        add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "origin" always;
     }
 
     error_page   500 502 503 504  /50x.html;
@@ -37,4 +48,3 @@ server {
     }
 
 }
-