diff --git a/cmd/rio/main.go b/cmd/rio/main.go
index 1585e98..c8b8f09 100644
--- a/cmd/rio/main.go
+++ b/cmd/rio/main.go
@@ -23,7 +23,7 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
-func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
+func handleSubdomain(domain, cname, path, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
 	hostParts := strings.Split(domain, ".")
 	username := hostParts[0]
 
@@ -45,16 +45,16 @@ func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaCl
 		return
 	}
 
-	pages.ServeFile(username, repo.Name, path, giteaClient, w)
+	pages.ServeFile(username, repo.Name, path, defaultCsp, giteaClient, w)
 }
 
-func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.HandlerFunc {
+func Handler(pagesDomain, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		w.Header().Set("Server", "rio")
 
 		if strings.HasSuffix(req.Host, pagesDomain) {
 			log.Debug("Domain can be directly handled")
-			handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, giteaClient, w)
+			handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
 			return
 		}
 
@@ -68,7 +68,7 @@ func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.H
 
 		if strings.HasSuffix(cname, pagesDomain) {
 			log.Debugf("%s is alias of %s and can be handled after a CNAME query", req.Host, cname)
-			handleSubdomain(cname, cname, req.URL.Path, giteaUrl, giteaClient, w)
+			handleSubdomain(cname, cname, req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
 			return
 		}
 
@@ -87,6 +87,7 @@ func runServer(ctx *cli.Context) error {
 	acmeHost := ctx.String("acme-host")
 	acmePort := ctx.String("acme-port")
 	acmeDisable := ctx.Bool("acme-disable")
+	defaultCsp := ctx.String("default-csp")
 
 	// Init Logging
 	if ctx.Bool("debug") {
@@ -172,7 +173,7 @@ func runServer(ctx *cli.Context) error {
 		listener = tls.NewListener(listener, tlsConfig)
 	}
 
-	if err := http.Serve(listener, Handler(domain, giteaUrl, &giteaClient)); err != nil {
+	if err := http.Serve(listener, Handler(domain, giteaUrl, defaultCsp, &giteaClient)); err != nil {
 		fmt.Printf("Listening failed")
 		return err
 	}
@@ -254,6 +255,12 @@ func main() {
 				Usage:   "Whether to enable debug logging",
 				EnvVars: []string{"DEBUG_ENABLE"},
 			},
+			&cli.StringFlag{
+				Name:    "default-csp",
+				Usage:   "The default CSP to include when sending HTTP responses",
+				Value:   "",
+				EnvVars: []string{"DEFAULT_CSP"},
+			},
 		},
 	}
 
diff --git a/internal/constants/const.go b/internal/constants/const.go
index 9bd3065..662b041 100644
--- a/internal/constants/const.go
+++ b/internal/constants/const.go
@@ -1,5 +1,6 @@
 package constants
 
 const (
+	// The branch to serve.
 	PagesBranch = "pages"
 )
diff --git a/internal/pages/pages.go b/internal/pages/pages.go
index d397054..685a84a 100644
--- a/internal/pages/pages.go
+++ b/internal/pages/pages.go
@@ -27,10 +27,23 @@ func makePageContentCacheEntry(username, path string) string {
 	return username + ":" + path
 }
 
-func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
-	// Provide a default
-	if path == "" {
+func addHeaders(csp, contentType string, w http.ResponseWriter) {
+	w.Header().Set("Content-Type", contentType)
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+
+	if csp != "" {
+		w.Header().Set("Content-Security-Policy", csp)
+	}
+}
+
+func ServeFile(username, reponame, path, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
+	// Provide a default file.
+	switch {
+	case path == "":
 		path = "/index.html"
+	case path[len(path)-1] == '/':
+		path = path + "index.html"
 	}
 
 	// Strip away a starting / as it messes with Gitea
@@ -59,15 +72,17 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
 		path,
 		since,
 	)
+	csp := repo.GetCSPForRepository(username, reponame, "", giteaClient)
 
 	if err != nil {
 		if !found {
 			log.Errorf("Failed to get file %s/%s/%s (%s)", username, reponame, path, err)
+			addHeaders(csp, "text/html", w)
 			w.WriteHeader(404)
 		} else {
 			log.Debugf("Request failed but page %s is cached in memory", path)
+			addHeaders(csp, mimeType, w)
 			w.WriteHeader(200)
-			w.Header().Set("Content-Type", mimeType)
 			w.Write(content)
 		}
 
@@ -76,8 +91,8 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
 
 	if found && !changed {
 		log.Debugf("Page %s is unchanged and cached in memory", path)
+		addHeaders(csp, mimeType, w)
 		w.WriteHeader(200)
-		w.Header().Set("Content-Type", mimeType)
 		w.Write(content)
 		return
 	}
@@ -98,7 +113,7 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
 	)
 
 	log.Debugf("Page %s requested from Gitea and cached in memory at %v", path, now)
-	w.Header().Set("Content-Type", mimeType)
+	addHeaders(csp, mimeType, w)
 	w.WriteHeader(200)
 	w.Write(content)
 }
diff --git a/internal/repo/repo.go b/internal/repo/repo.go
index 902c61e..528dfd9 100644
--- a/internal/repo/repo.go
+++ b/internal/repo/repo.go
@@ -18,6 +18,10 @@ var (
 
 	// Caching the existence of an user
 	userCache = cache.New(24*time.Hour, 12*time.Hour)
+
+	// Caches the existence of a Content-Security-Policy
+	// Mapping: Repository key -> CSPCacheEntry
+	cspCache = cache.New(24*time.Hour, 12*time.Hour)
 )
 
 type PageCacheEntry struct {
@@ -25,10 +29,19 @@ type PageCacheEntry struct {
 	Path       string
 }
 
+type CSPCacheEntry struct {
+	CSP           string
+	LastRequested time.Time
+}
+
 func makePageCacheKey(domain, path string) string {
 	return domain + "/" + path
 }
 
+func makeCSPCacheKey(username, repositoryName string) string {
+	return username + ":" + repositoryName
+}
+
 // / Try to find the repository with name @reponame of the user @username. If @cname
 // / is not "", then it also verifies that the repository contains a "CNAME" with
 // / the value of @cname as its content. @host, @domain, and @path are passed for
@@ -164,3 +177,41 @@ func CanRequestCertificate(username string, giteaClient *GiteaClient) bool {
 	}
 	return hasUser
 }
+
+// Checks the repository username/repository@PagesBranch for a file named CSP. If it exists,
+// read it and return the value. If it does not exist, return defaultCsp.
+func GetCSPForRepository(username, repositoryName, defaultCsp string, giteaClient *GiteaClient) string {
+	key := makeCSPCacheKey(username, repositoryName)
+	cachedCsp, found := cspCache.Get(key)
+	var since time.Time
+	if found {
+		since = cachedCsp.(CSPCacheEntry).LastRequested
+	}
+
+	fetchedCsp, changed, err := giteaClient.GetFile(
+		username,
+		repositoryName,
+		constants.PagesBranch,
+		"CSP",
+		&since,
+	)
+	csp := ""
+	if err != nil {
+		if found {
+			return cachedCsp.(CSPCacheEntry).CSP
+		}
+
+		csp = defaultCsp
+	} else {
+		csp = string(fetchedCsp)
+
+		if !found || changed {
+			cspCache.Set(key, CSPCacheEntry{
+				CSP:           csp,
+				LastRequested: time.Now(),
+			}, cache.DefaultExpiration)
+		}
+	}
+
+	return csp
+}
diff --git a/internal/repo/repo_test.go b/internal/repo/repo_test.go
index c533d37..8175c9a 100644
--- a/internal/repo/repo_test.go
+++ b/internal/repo/repo_test.go
@@ -11,6 +11,7 @@ import (
 func clearCache() {
 	pathCache.Flush()
 	userCache.Flush()
+	cspCache.Flush()
 }
 
 func TestPickingCorrectRepositoryDefault(t *testing.T) {