diff --git a/.sobelow-conf b/.sobelow-conf
new file mode 100644
index 0000000..d1b49e5
--- /dev/null
+++ b/.sobelow-conf
@@ -0,0 +1,12 @@
+[
+  verbose: true,
+  private: false,
+  skip: false,
+  router: "",
+  exit: "low",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.CSP", "Config.HTTPS"],
+  ignore_files: [""]
+]
diff --git a/lib/home73k_web/csp_header.ex b/lib/home73k_web/csp_header.ex
new file mode 100644
index 0000000..2b8d5e9
--- /dev/null
+++ b/lib/home73k_web/csp_header.ex
@@ -0,0 +1,21 @@
+defmodule Home73kWeb.CSPHeader do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    put_resp_header conn, "content-security-policy", csp(conn)
+  end
+
+  defp csp(conn) do
+    "default-src 'self'; \
+    connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \
+    script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
+    style-src 'self' 'unsafe-inline' 'unsafe-eval'"
+  end
+
+  defp ws_url(conn, protocol \\ "ws") do
+    endpoint = Phoenix.Controller.endpoint_module(conn)
+    %{endpoint.struct_url | scheme: protocol} |> URI.to_string()
+  end
+end
diff --git a/lib/home73k_web/router.ex b/lib/home73k_web/router.ex
index 7513ea4..b50998c 100644
--- a/lib/home73k_web/router.ex
+++ b/lib/home73k_web/router.ex
@@ -1,5 +1,6 @@
 defmodule Home73kWeb.Router do
   use Home73kWeb, :router
+  alias Home73kWeb.CSPHeader
 
   pipeline :browser do
     plug :accepts, ["html"]
@@ -8,6 +9,7 @@ defmodule Home73kWeb.Router do
     plug :put_root_layout, {Home73kWeb.LayoutView, :root}
     plug :protect_from_forgery
     plug :put_secure_browser_headers
+    plug CSPHeader
   end
 
   pipeline :xml_rss do