diff --git a/mkdocs.production.yml b/mkdocs.production.yml
index a7c9fbf6..736a5b33 100644
--- a/mkdocs.production.yml
+++ b/mkdocs.production.yml
@@ -2,10 +2,8 @@ INHERIT: mkdocs.yml
 plugins:
   meta: {}
   privacy:
-    external_assets_exclude:
-      - cdn.jsdelivr.net/npm/mathjax@3/*
-      - api.privacyguides.net/*
-      - giscus.app/*
+    external_assets_exclude: ['https://cdn.jsdelivr.net/npm/mathjax@3/*', 'https://api.privacyguides.net/*']
+    external_links_noopener: true
   git-committers:
     enabled: !ENV [PRODUCTION, false]
     repository: privacyguides/privacyguides.org
diff --git a/netlify.toml b/netlify.toml
index 36e2af84..d61ca185 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -5,6 +5,20 @@
 [context.production.environment]
     PRODUCTION = "true"
 
+[[headers]]
+  for = "/*"
+  [headers.values]
+    X-Frame-Options = "DENY"
+    X-XSS-Protection = "0"
+    X-Content-Type-Options = "nosniff"
+    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
+    Content-Security-Policy = "default-src 'none'; script-src https://www.privacyguides.org https://api.privacyguides.net 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src data: 'self'; connect-src https://api.github.com https://api.privacyguides.net 'self'"
+
+[[headers]]
+  for = "/about/donate/"
+  [headers.values]
+    Content-Security-Policy = "default-src 'none'; script-src https://opencollective.com https://www.privacyguides.org https://api.privacyguides.net 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src https://opencollective.com data: 'self'; connect-src https://api.github.com https://api.privacyguides.net 'self'; frame-src https://opencollective.com"
+
 [[redirects]]
     from = "/.well-known/matrix/*"
     to = "https://matrix.privacyguides.org/.well-known/matrix/:splat"