diff --git a/src/.env.example b/src/.env.example
--- a/src/.env.example
+++ b/src/.env.example
@@ -16,6 +16,9 @@
 APP_WITH_RESELLER=1
 APP_WITH_SERVICES=1
 
+APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
+APP_HEADER_XFO=sameorigin
+
 SIGNUP_LIMIT_EMAIL=0
 SIGNUP_LIMIT_IP=0
 
diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php
--- a/src/app/Http/Kernel.php
+++ b/src/app/Http/Kernel.php
@@ -22,6 +22,7 @@
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
         \App\Http\Middleware\DevelConfig::class,
         \App\Http\Middleware\Locale::class,
+        \App\Http\Middleware\ContentSecurityPolicy::class,
         // FIXME: CORS handling added here, I didn't find a nice way
         // to add this only to the API routes
         // \App\Http\Middleware\Cors::class,
@@ -86,6 +87,7 @@
         \Illuminate\Session\Middleware\AuthenticateSession::class,
         \Illuminate\Routing\Middleware\SubstituteBindings::class,
         \Illuminate\Auth\Middleware\Authorize::class,
+        \App\Http\Middleware\ContentSecurityPolicy::class,
     ];
 
     /**
diff --git a/src/app/Http/Middleware/ContentSecurityPolicy.php b/src/app/Http/Middleware/ContentSecurityPolicy.php
new file mode 100644
--- /dev/null
+++ b/src/app/Http/Middleware/ContentSecurityPolicy.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ContentSecurityPolicy
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $headers = [
+            'csp' => 'Content-Security-Policy',
+            'xfo' => 'X-Frame-Options',
+        ];
+
+        $next = $next($request);
+
+        foreach ($headers as $opt => $header) {
+            if ($value = \config("app.headers.{$opt}")) {
+                $next->header($header, $value);
+            }
+        }
+
+        return $next;
+    }
+}
diff --git a/src/config/app.php b/src/config/app.php
--- a/src/config/app.php
+++ b/src/config/app.php
@@ -254,6 +254,11 @@
         'View' => Illuminate\Support\Facades\View::class,
     ],
 
+    'headers' => [
+        'csp' => env('APP_HEADER_CSP', ""),
+        'xfo' => env('APP_HEADER_XFO', ""),
+    ],
+
     // Locations of knowledge base articles
     'kb' => [
         // An article about suspended accounts
diff --git a/src/resources/js/app.js b/src/resources/js/app.js
--- a/src/resources/js/app.js
+++ b/src/resources/js/app.js
@@ -292,7 +292,7 @@
             }
         },
         isDegraded() {
-            return store.state.authInfo.isAccountDegraded
+            return store.state.authInfo && store.state.authInfo.isAccountDegraded
         },
         pageName(path) {
             let page = this.$route.path