diff --git a/nginx/dev.conf b/nginx/dev.conf
index 38db77c594a2a93b823addfc1721b26b37a59764..b43d16e38738c96a7271f8f942c48bbb51d62193 100644
--- a/nginx/dev.conf
+++ b/nginx/dev.conf
@@ -18,6 +18,9 @@ server {
   listen 8080 default_server;
 
   root /usr/share/nginx/html/;
+
+  server_tokens off;
+
   set $matomo_script
   "<script type='text/javascript'>
     var _paq = window._paq = window._paq || [];
@@ -32,6 +35,12 @@ server {
     })();
   </script>";
 
+
+  location ~ /index.html|.*\.json$ {
+      expires -1;
+      add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+  }
+
   location / {
     # Redirect outdated nav
     if ($outdated = 1){
diff --git a/nginx/security-headers.conf b/nginx/security-headers.conf
new file mode 100644
index 0000000000000000000000000000000000000000..33106bbd0048aed3335e62e37575a450252382b7
--- /dev/null
+++ b/nginx/security-headers.conf
@@ -0,0 +1,5 @@
+add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always;
+add_header Content-Security-Policy "object-src 'none'; script-src 'self' https://openlayers.org/en/v4.6.5/build/ol.js https://embed.typeform.com/embed.js; script-src-elem 'self' https://openlayers.org/en/v4.6.5/build/ol.js https://embed.typeform.com/embed.js; base-uri 'self'; style-src https://openlayers.org/en/v4.6.5/css/ol.css https://cdn.jsdelivr.net/npm/leaflet.locatecontrol@0.72.0/dist/L.Control.Locate.min.css 'unsafe-inline' 'self';" always;
+add_header X-Frame-Options "DENY" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "strict-origin" always;