diff --git a/lung_cancer_screening/settings.py b/lung_cancer_screening/settings.py
index 95af47d4..2b70f21e 100644
--- a/lung_cancer_screening/settings.py
+++ b/lung_cancer_screening/settings.py
@@ -12,6 +12,7 @@
 import sys
 from os import environ
 from pathlib import Path
+from django.utils.csp import CSP
 
 from jinja2 import ChainableUndefined
 
@@ -73,15 +74,16 @@ def pem_key_env(key, file_path_key=None):
 ]
 
 MIDDLEWARE = [
-    'django.middleware.security.SecurityMiddleware',
+    "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
-    'django.contrib.sessions.middleware.SessionMiddleware',
-    'django.middleware.common.CommonMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
-    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
     "lung_cancer_screening.questions.middleware.session_timeout.SessionTimeoutMiddleware",
-    'django.contrib.messages.middleware.MessageMiddleware',
-    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    "django.contrib.messages.middleware.MessageMiddleware",
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "django.middleware.csp.ContentSecurityPolicyMiddleware",
 ]
 
 ROOT_URLCONF = 'lung_cancer_screening.urls'
@@ -274,13 +276,21 @@ def pem_key_env(key, file_path_key=None):
 LOGIN_REDIRECT_URL_FAILURE = "/agree-to-share-information"
 ALLOW_LOGOUT_GET_METHOD = True
 
+DISABLE_RECENT_SUBMISSION_LIMITATION = boolean_env("DISABLE_RECENT_SUBMISSION_LIMITATION", default=False)
+
+COMMIT_SHA = environ.get("COMMIT_SHA", "unknown")
+
+SECURE_CSP = {
+    "default-src": [CSP.SELF],
+    "font-src": (CSP.SELF, "https://assets.nhs.uk"),
+    "script-src": (CSP.SELF, "'unsafe-inline'"),
+}
+
 # Additional security settings for production
 if not DEBUG:
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
     SECURE_SSL_REDIRECT = False
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
     USE_X_FORWARDED_HOST = True
-
-DISABLE_RECENT_SUBMISSION_LIMITATION = boolean_env("DISABLE_RECENT_SUBMISSION_LIMITATION", default=False)
-
-COMMIT_SHA = environ.get("COMMIT_SHA", "unknown")