diff --git a/Auth/LearningHub.Nhs.Auth/Program.cs b/Auth/LearningHub.Nhs.Auth/Program.cs
index 04759f5..910cb0b 100644
--- a/Auth/LearningHub.Nhs.Auth/Program.cs
+++ b/Auth/LearningHub.Nhs.Auth/Program.cs
@@ -56,6 +56,20 @@
         await next();
     });
 
+app.Use(async (context, next) =>
+{
+    // Add security headers
+    context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
+    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
+    context.Response.Headers.Add("X-Frame-Options", "DENY");
+    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self'; object-src 'none';");
+    context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade");
+    context.Response.Headers.Add("Feature-Policy", "geolocation 'self'; microphone 'none'; camera 'none'");
+
+    await next();
+});
+
 if (app.Environment.IsDevelopment())
 {
     app.UseDeveloperExceptionPage();