diff --git a/docker/templates/vhost_app.conf b/docker/templates/vhost_app.conf
index ae25f2f19107a610cea871b83b55cd78ebd4d274..eecb3186fc5dc6cdb1d0ab1e5369aa639f592c5b 100644
--- a/docker/templates/vhost_app.conf
+++ b/docker/templates/vhost_app.conf
@@ -15,4 +15,16 @@
     Require all denied
   </Location>
 
+  # security headers
+
+  Header unset X-Powered-By
+
+  Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+
+  Header set X-Frame-Options "SAMEORIGIN"
+  Header set X-Content-Type-Options "nosniff"
+  Header set X-XSS-Protection "1; mode=block"
+  Header set Feature-Policy "sync-xhr 'self'"
+  Header set Referrer-Policy "strict-origin-when-cross-origin"
+
 </VirtualHost>
\ No newline at end of file