diff --git a/.eleventy.js b/.eleventy.js
index 55f09111..bdb1efb3 100644
--- a/.eleventy.js
+++ b/.eleventy.js
@@ -35,6 +35,7 @@ export default async function (eleventyConfig) {
   // passthrough
   eleventyConfig.addPassthroughCopy('src/assets')
   eleventyConfig.addPassthroughCopy('_redirects')
+  eleventyConfig.addPassthroughCopy('_headers')
   eleventyConfig.addPassthroughCopy({
     'node_modules/minisearch/dist/umd/index.js': 'assets/scripts/components/minisearch.js',
   })
diff --git a/_headers b/_headers
new file mode 100644
index 00000000..1585f586
--- /dev/null
+++ b/_headers
@@ -0,0 +1,39 @@
+/feeds/posts
+  Content-Type: application/xml; charset=utf-8
+  x-content-type-options: nosniff
+
+/feeds/links
+  Content-Type: application/xml; charset=utf-8
+  x-content-type-options: nosniff
+
+/feeds/books
+  Content-Type: application/xml; charset=utf-8
+  x-content-type-options: nosniff
+
+/.well-known/webfinger
+  Content-Type: application/jrd+json; charset=utf-8
+
+/.well-known/gpc.json
+  Content-Type: application/jrd+json; charset=utf-8
+
+/.well-known/traffic-advice
+  Content-Type: application/trafficadvice+json
+
+/contribute.json
+  Content-Type: application/json
+
+/api/now-playing
+  Content-Type: application/json
+
+/api/search
+  Content-Type: application/json
+
+/blogroll.opml
+  Content-Disposition: attachment; filename=cory-dransfeldt-blogroll.opml
+
+/*
+  Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content;
+  X-Frame-Options: DENY
+  X-XSS-Protection: 1; mode=block
+  Referrer-Policy: strict-origin-when-cross-origin, no-referrer-when-downgrade
+  Permissions-Policy: autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=()
\ No newline at end of file