diff --git a/Cargo.toml b/Cargo.toml
index 54cd8268..ea2d1770 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -109,6 +109,7 @@ features = [
     "add-extension",
     "cors",
     "sensitive-headers",
+    "set-header",
     "trace",
     "util",
     "catch-panic",
diff --git a/src/api/client_server/media.rs b/src/api/client_server/media.rs
index 0de61233..12899b39 100644
--- a/src/api/client_server/media.rs
+++ b/src/api/client_server/media.rs
@@ -25,7 +25,7 @@ use crate::{
 const MXC_LENGTH: usize = 32;
 
 /// Cache control for immutable objects
-const CACHE_CONTROL_IMMUTABLE: &str = "public, max-age=31536000, immutable";
+const CACHE_CONTROL_IMMUTABLE: &str = "public,max-age=31536000,immutable";
 
 const CORP_CROSS_ORIGIN: &str = "cross-origin";
 
diff --git a/src/router/mod.rs b/src/router/mod.rs
index 03e8be60..aa928685 100644
--- a/src/router/mod.rs
+++ b/src/router/mod.rs
@@ -6,7 +6,7 @@ use axum::{
 	Router,
 };
 use http::{
-	header::{self, HeaderName},
+	header::{self, HeaderName, HeaderValue},
 	Method, StatusCode, Uri,
 };
 use ruma::api::client::{
@@ -17,6 +17,7 @@ use tower::ServiceBuilder;
 use tower_http::{
 	catch_panic::CatchPanicLayer,
 	cors::{self, CorsLayer},
+	set_header::SetResponseHeaderLayer,
 	trace::{DefaultOnFailure, DefaultOnRequest, DefaultOnResponse, TraceLayer},
 	ServiceBuilderExt as _,
 };
@@ -32,6 +33,9 @@ pub(crate) async fn build(server: &Server) -> io::Result<axum::routing::IntoMake
 	let base_middlewares = base_middlewares.layer(sentry_tower::NewSentryLayer::<http::Request<_>>::new_from_top());
 
 	let x_forwarded_for = HeaderName::from_static("x-forwarded-for");
+	let permissions_policy = HeaderName::from_static("permissions-policy");
+	let origin_agent_cluster = HeaderName::from_static("origin-agent-cluster"); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster
+
 	let middlewares = base_middlewares
 		.sensitive_headers([header::AUTHORIZATION])
 		.sensitive_request_headers([x_forwarded_for].into())
@@ -44,6 +48,33 @@ pub(crate) async fn build(server: &Server) -> io::Result<axum::routing::IntoMake
 				.on_response(DefaultOnResponse::new().level(Level::DEBUG)),
 		)
 		.layer(axum::middleware::from_fn(request_handle))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			origin_agent_cluster,
+			HeaderValue::from_static("?1"),
+		))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::X_CONTENT_TYPE_OPTIONS,
+			HeaderValue::from_static("nosniff"),
+		))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::X_XSS_PROTECTION,
+			HeaderValue::from_static("0"),
+		))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::X_FRAME_OPTIONS,
+			HeaderValue::from_static("DENY"),
+		))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			permissions_policy,
+			HeaderValue::from_static("interest-cohort=(),browsing-topics=()"),
+		))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::CONTENT_SECURITY_POLICY,
+			HeaderValue::from_static(
+				"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; \
+				 style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none';",
+			),
+		))
 		.layer(cors_layer(server))
 		.layer(DefaultBodyLimit::max(
 			server
@@ -130,6 +161,8 @@ fn request_result_log(method: &Method, uri: &Uri, result: &axum::response::Respo
 	}
 }
 
+/// Cross-Origin-Resource-Sharing header as defined by spec:
+/// <https://spec.matrix.org/latest/client-server-api/#web-browser-clients>
 fn cors_layer(_server: &Server) -> CorsLayer {
 	const METHODS: [Method; 7] = [
 		Method::GET,