diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index 19fd0aacf..aa52c8144 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -1,3 +1,19 @@
+const ContentSecurityPolicy = `
+  default-src 'self';
+  base-uri 'self';
+  block-all-mixed-content;
+  connect-src 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app storage.googleapis.com api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
+  font-src 'self' data: cdn.jsdelivr.net;
+  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL};
+  frame-ancestors 'none';
+  frame-src accounts.google.com platform.twitter.com www.youtube-nocookie.com;
+  manifest-src 'self';
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net cdn.segment.com;
+  style-src 'self' 'unsafe-inline' accounts.google.com cdnjs.cloudflare.com;
+  img-src 'self' blob: data: https:;
+  worker-src 'self' blob:;
+`
+
 const moduleExports = {
   images: {
     domains: [
@@ -24,6 +40,19 @@ const moduleExports = {
       destination: `https://api-${process.env.NEXT_PUBLIC_APP_ENV}.omnivore.app/api/mobile-auth/:path*`,
     },
   ],
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+          },
+        ],
+      },
+    ]
+  },
   async redirects() {
     return [
       {