diff --git a/common_config.php b/common_config.php
index abca9da..eb61f8a 100644
--- a/common_config.php
+++ b/common_config.php
@@ -111,3 +111,23 @@ function blacklist_scams($address, $content){
 		}
 	}
 }
+
+function send_headers(array $styles = []){
+	header('Content-Type: text/html; charset=UTF-8');
+	header('Pragma: no-cache');
+	header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private');
+	header('Expires: 0');
+	header('Referrer-Policy: no-referrer');
+	header("Permissions-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; cross-origin-isolated 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; geolocation 'none'; fullscreen 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; screen-wake-lock 'none'; sync-xhr 'none'; usb 'none'; web-share 'none'; xr-spatial-tracking 'none'; clipboard-read 'none'; clipboard-write 'none'; gamepad 'none'; speaker-selection 'none'; conversion-measurement 'none'; focus-without-user-activation 'none'; hid 'none'; idle-detection 'none'; sync-script 'none'; vertical-scroll 'none'; serial 'none'; trust-token-redemption 'none';");
+	$style_hashes = '';
+	foreach($styles as $style) {
+		$style_hashes .= " 'sha256-".base64_encode(hash('sha256', $style, true))."'";
+	}
+	header("Content-Security-Policy: default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; media-src 'self'; style-src 'self'$style_hashes");
+	header('X-Content-Type-Options: nosniff');
+	header('X-Frame-Options: sameorigin');
+	header('X-XSS-Protection: 1; mode=block');
+	if($_SERVER['REQUEST_METHOD'] === 'HEAD'){
+		exit; // headers sent, no further processing needed
+	}
+}
diff --git a/www/admin.php b/www/admin.php
index e8d433b..695b07b 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -1,9 +1,7 @@
 <?php
-header('Content-Type: text/html; charset=UTF-8');
-if($_SERVER['REQUEST_METHOD']==='HEAD'){
-	exit; // headers sent, no further processing needed
-}
 require_once('../common_config.php');
+$style = '.red{color:red} .green{color:green} .software-link{text-align:center;font-size:small}';
+send_headers([$style]);
 try{
 	$db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME . ';charset=utf8mb4', DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT]);
 }catch(PDOException $e){
@@ -14,7 +12,7 @@ echo '<!DOCTYPE html><html><head>';
 echo "<title>$I[admintitle]</title>";
 echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
 echo '<meta name=viewport content="width=device-width, initial-scale=1">';
-echo '<style type="text/css">.red{color:red} .green{color:green} .software-link{text-align:center;font-size:small}</style>';
+echo '<style type="text/css">'.$style.'</style>';
 echo '</head><body>';
 echo "<h1>$I[admintitle]</h1>";
 print_langs();
diff --git a/www/onions.php b/www/onions.php
index 1ebe733..449c3aa 100644
--- a/www/onions.php
+++ b/www/onions.php
@@ -42,7 +42,11 @@ if(!isset($_REQUEST['format'])){
 
 function send_html(){
 	global $I, $categories, $db, $language;
-	header('Content-Type: text/html; charset=UTF-8');
+	$style = '.red{color:red} .green{color:green} .up td+td+td{background-color:#aaff88} .down td+td+td{background-color:#ff4444}';
+	$style .= '.promo{outline:medium solid #FFD700} .list{display: inline-block; padding: 0; margin: 0} .list li{display:inline}';
+	$style .= '.active{font-weight:bold} .down td+td+td+td+td,.up td+td+td+td+td{background-color:unset} #maintable td{word-break:break-all}';
+	$style .= '#maintable td+td+td{word-break:unset} #maintable tr td:first-child{min-width:16em} .software-link{text-align:center;font-size:small}';
+	send_headers([$style]);
 	asort($categories);
 	//sql for special categories
 	$special=[
@@ -65,7 +69,7 @@ function send_html(){
 	echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
 	echo '<meta name="author" content="Daniel Winzen">';
 	echo '<meta name="viewport" content="width=device-width, initial-scale=1">';
-	echo '<style type="text/css">.red{color:red} .green{color:green} .up td+td+td{background-color:#aaff88} .down td+td+td{background-color:#ff4444} .promo{outline:medium solid #FFD700} .list{display: inline-block; padding: 0; margin: 0} .list li{display:inline} .active{font-weight:bold} .down td+td+td+td+td,.up td+td+td+td+td{background-color:unset} #maintable td{word-break:break-all} #maintable td+td+td{word-break:unset} #maintable tr td:first-child{min-width:16em} .software-link{text-align:center;font-size:small}</style>';
+	echo '<style type="text/css">'.$style.'</style>';
 	echo '<base rel="noopener" target="_blank">';
 	echo '</head><body>';
 	echo "<h1>$I[title]</h1>";
diff --git a/www/test.php b/www/test.php
index 0a03444..61dc635 100644
--- a/www/test.php
+++ b/www/test.php
@@ -1,16 +1,13 @@
 <?php
-header('Content-Type: text/html; charset=UTF-8');
-header('Cache-Control: max-age=600');
-if($_SERVER['REQUEST_METHOD']==='HEAD'){
-	exit; // headers sent, no further processing needed
-}
 require_once('../common_config.php');
+$style = '.red{color:red} .green{color:green}';
+send_headers([$style]);
 echo '<!DOCTYPE html><html><head>';
 echo "<title>$I[testtitle]</title>";
 echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
 echo '<meta name="author" content="Daniel Winzen">';
 echo '<meta name="viewport" content="width=device-width, initial-scale=1">';
-echo '<style type="text/css">.red{color:red} .green{color:green}</style>';
+echo '<style type="text/css">'.$style.'</style>';
 echo '</head><body>';
 echo '<h1>Online-Test</h1>';
 print_langs();