diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 3ef8070a..e4c35482 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -38,6 +38,7 @@ class Kernel extends HttpKernel
             \App\Http\Middleware\LinkHeadersMiddleware::class,
             \App\Http\Middleware\LocalhostSessionMiddleware::class,
             \App\Http\Middleware\ActivityStreamLinks::class,
+            \App\Http\Middleware\CSPHeader::class,
         ],
 
         'api' => [
diff --git a/app/Http/Middleware/CSPHeader.php b/app/Http/Middleware/CSPHeader.php
new file mode 100644
index 00000000..2be2823a
--- /dev/null
+++ b/app/Http/Middleware/CSPHeader.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class CSPHeader
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        // headers have to be single-line strings,
+        // so we concat multiple lines
+        return $next($request)
+            ->header(
+                'Content-Security-Policy',
+                "default-src 'self'; " .
+                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " .
+                "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " .
+                "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " .
+                "font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " .
+                "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " .
+                "worker-src 'self' blob:; " .
+                "frame-src 'self' https://www.youtube.com blob:; " .
+                "child-src 'self' blob:; " .
+                "upgrade-insecure-requests; " .
+                "block-all-mixed-content; " .
+                "report-to csp-endpoint;" .
+                "report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;"
+            )
+            ->header(
+                'Report-To',
+                "{" .
+                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
+                    "'group': 'csp-endpoint'," .
+                    "'max-age': 10886400" .
+                "}"
+            );
+    }
+}
diff --git a/changelog.md b/changelog.md
index 721dd3fb..d0f35b8d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -2,6 +2,7 @@
 
 ## Version {next}
   - Add CORS headers as necessary in the Laravel app (as oppose to using nginx)
+  - Add CSP headers
 
 ## Version 0.16.1 (2018-02-17)
   - Fix issue where OwnYourSwarm requests include h-adr block for location
diff --git a/tests/Feature/CSPHeadersTest.php b/tests/Feature/CSPHeadersTest.php
new file mode 100644
index 00000000..1d558dbc
--- /dev/null
+++ b/tests/Feature/CSPHeadersTest.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace Tests\Feature;
+
+use Tests\TestCase;
+
+class CSPHeadersTest extends TestCase
+{
+    /** @test */
+    public function check_csp_headers_test()
+    {
+        $response = $this->get('/');
+        $response->assertHeader('Content-Security-Policy');
+        $response->assertHeader('Report-To');
+    }
+}