diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml
index 7a7f92d..53a3193 100644
--- a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml
+++ b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml
@@ -30,6 +30,7 @@ metadata:
     {{- end }}
     nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.maxUploadSizeMB }}m"
     nginx.org/client-max-body-size: "{{ .Values.maxUploadSizeMB }}m"
+    nginx.ingress.kubernetes.io/configuration-snippet: {{- .Values.ingress.configurationSnippet | toYaml | indent 4 }}
     {{- if .Values.ingress.stickySessions.enabled }}
     # https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/
     nginx.ingress.kubernetes.io/affinity: "cookie"
diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml
index 251e622..f4dd3b2 100755
--- a/charts/sddi-ckan/charts/ckan/values.yaml
+++ b/charts/sddi-ckan/charts/ckan/values.yaml
@@ -156,6 +156,11 @@ ingress:
   tls:
     # -- Specify a custom tls secret name. This overwrites `global.ingress.tls.secretName`.
     secretName:
+  configurationSnippet: |
+    more_set_headers "X-Frame-Options: DENY";
+    more_set_headers "X-Xss-Protection: 0";
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "Content-Security-Policy: object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecurerequests; blockall-mixed-content; require-trustedtypes-for 'script'";
 
 # General settings
 # -- CKAN site url. This should match a domain name of CKAN specified in `ingress.domains`/`global.ingress.domains`