diff --git a/app/__init__.py b/app/__init__.py
index 1a25d59d9..e32859141 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -46,6 +46,8 @@ def create_app(config_name):
     application.add_template_filter(placeholders)
     application.add_template_filter(replace_placeholders)
 
+    application.after_request(useful_headers_after_request)
+
     return application
 
 
@@ -106,3 +108,11 @@ def replace_placeholders(template, values):
         lambda match: values.get(match.group(1), ''),
         template
     ))
+
+
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+def useful_headers_after_request(response):
+    response.headers.add('X-Frame-Options', 'deny')
+    response.headers.add('X-Content-Type-Options', 'nosniff')
+    response.headers.add('X-XSS-Protection', '1; mode=block')
+    return response
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
new file mode 100644
index 000000000..c53ae0c47
--- /dev/null
+++ b/tests/app/main/views/test_headers.py
@@ -0,0 +1,8 @@
+
+def test_owasp_useful_headers_set(notifications_admin):
+    with notifications_admin.test_request_context():
+        response = notifications_admin.test_client().get('/')
+    assert response.status_code == 200
+    assert response.headers['X-Frame-Options'] == 'deny'
+    assert response.headers['X-Content-Type-Options'] == 'nosniff'
+    assert response.headers['X-XSS-Protection'] == '1; mode=block'