diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index f650cab65..6e108ec18 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -11,6 +11,45 @@ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=H
 RedirectMatch "^/$" "/plinth"
 RedirectMatch "^/freedombox" "/plinth"
 
+##
+## Disable sending Referer (sic) header from FreedomBox web interface to
+## external websites. This improves privacy by not disclosing FreedomBox
+## domains/URLs to external domains. Apps such as blogs which want to popularize
+## themselves with referrer header may still do so.
+##
+## A strict Content Security Policy.
+## - @fonts are allowed only from FreedomBox itself.
+## - <frame>/<iframe> sources are disabled.
+## - <img> sources are allowed only from FreedomBox itself.
+## - Manifest file is not allowed as there is none yet.
+## - <audio>, <video>, <track> tags are not allowed yet.
+## - <object>, <embed>, <applet> tags are not allowed yet.
+## - Allow JS from FreedomBox itself (no inline and attribute scripts).
+## - Allow inline CSS and CSS files from Freedombox itself.
+## - Web worker sources are disabled.
+## - All other fetch sources including Ajax are not allowed from FreedomBox
+##   itself.
+## - <base> tag is not allowed.
+## - No plugins types are alllowed since object-src is 'none'.
+## - Form action should be to FreedomBox itself.
+## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
+## - When serving HTTPS, don't allow HTTP assets.
+##
+## Enable strict sandboxing enabled with some exceptions:
+## - Allow running Javascript.
+## - Allow popups as sometimes we use <a target=_blank>
+## - Allow forms to support configuration forms.
+## -
+##
+## Disable browser guessing of MIME types. FreedoBox already sets good content
+## types for all the common file types.
+##
+<Location /plinth>
+    Header set Referrer-Policy 'same-origin'
+    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'none'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set X-Content-Type-Options 'nosniff'
+</Location>
+
 ##
 ## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
 ## icon using <link rel=''>.
