diff --git a/search_app.py b/search_app.py
index e74dbc8..f01a2ba 100644
--- a/search_app.py
+++ b/search_app.py
@@ -938,6 +938,23 @@ def build_full_graph_payload(
 
 def create_app(config: AppConfig = CONFIG) -> Flask:
     app = Flask(__name__, static_folder=str(Path(__file__).parent / "static"))
+    app.config['MAX_CONTENT_LENGTH'] = 1 * 1024 * 1024
+
+    @app.after_request
+    def add_security_headers(response):
+        response.headers['X-Frame-Options'] = 'DENY'
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
+        response.headers['Content-Security-Policy'] = (
+            "default-src 'self'; "
+            "script-src 'self' https://cdn.jsdelivr.net https://unpkg.com; "
+            "style-src 'self' 'unsafe-inline' https://unpkg.com; "
+            "img-src 'self' data: https:; "
+            "font-src 'self' https://unpkg.com; "
+            "connect-src 'self'"
+        )
+        return response
+
     client = _ensure_client(config)
     index = config.elastic.index
     qdrant_url = config.qdrant_url