diff --git a/webserver/nginx.conf b/webserver/nginx.conf
index fe62b8f..a40289d 100644
--- a/webserver/nginx.conf
+++ b/webserver/nginx.conf
@@ -41,7 +41,7 @@ server {
     ssl_protocols TLSv1.2 TLSv1.3;
 
     # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
 
     ssl_session_timeout 10m;
     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
@@ -97,15 +97,25 @@ server {
     proxy_buffers              4 32k;
     proxy_busy_buffers_size    64k;
     proxy_temp_file_write_size 64k;
+    proxy_cookie_flags ~ secure HttpOnly;
 
-    add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;";
+    add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;";
     add_header 'X-Robots-Tag' "index, follow, noimageindex, notranslate, noarchive";
+    add_header 'Strict-Transport-Security'  'max-age=63072000; includeSubDomains; preload';
+    add_header 'X-XSS-Protection' '1; mode=block';
+    add_header 'Permissions-Policy' 'geolocation=(), microphone=()';
+    add_header 'Access-Control-Allow-Origin' '*';
 
     location = /robots.txt {
         add_header Content-Type text/plain;
         return 200 "User-agent: *\nDisallow: /proxy/\nDisallow: /static/\nDisallow: /media/\nCrawl-delay: 1";
     }
 
+    location = /.well-known/gpc.json {
+        add_header Content-Type application/json;
+        return 200 '{"gpc": true,"version": 1,"lastUpdate": "2022-12-16"}';
+    }
+
     location ~* ^/(media|static) {
         http2_push_preload on;
         limit_req zone=taka_media burst=5 nodelay;