diff --git a/config/services.yaml b/config/services.yaml
index 2a5167d..95a0948 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -4,6 +4,9 @@
 # Put parameters here that don't need to change on each machine where the app is deployed
 # https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration
 parameters:
+    security:
+        csp_policy: "default-src 'none'; font-src 'self'; style-src 'self'; script-src 'self'; img-src 'self'; form-action 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'none'; "
+        referer_policy: "same-origin"
 
 services:
     # default configuration for services in *this* file
diff --git a/package.json b/package.json
index 8f1ea2e..ade666b 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,8 @@
     "vite-plugin-symfony": "^0.3.0"
   },
   "scripts": {
-    "dev": "vite",
+    "watch": "vite build --minify=false --sourcemap --watch",
+    "build-dev": "vite build --minify=false --sourcemap",
     "build": "vite build"
   },
   "repository": {
diff --git a/src/EventListener/ExceptionListener.php b/src/EventSubscriber/ExceptionListener.php
similarity index 97%
rename from src/EventListener/ExceptionListener.php
rename to src/EventSubscriber/ExceptionListener.php
index 6c63b46..316bd43 100644
--- a/src/EventListener/ExceptionListener.php
+++ b/src/EventSubscriber/ExceptionListener.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\EventListener;
+namespace App\EventSubscriber;
 
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
diff --git a/src/EventSubscriber/SecurityHeadersSubscriber.php b/src/EventSubscriber/SecurityHeadersSubscriber.php
new file mode 100644
index 0000000..9bd80d6
--- /dev/null
+++ b/src/EventSubscriber/SecurityHeadersSubscriber.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace App\EventSubscriber;
+
+use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+class SecurityHeadersSubscriber implements EventSubscriberInterface
+{
+    private $params;
+
+    public function __construct(ContainerBagInterface $params)
+    {
+        $this->params = $params;
+    }
+
+    public function onResponse(ResponseEvent $event)
+    {
+        $response = $event->getResponse();
+        $securitypolicy = $this->params->get('security');
+        $csp = $securitypolicy['csp_policy'];
+        $referer = $securitypolicy['referer_policy'];
+        $response->headers->set("Content-Security-Policy", $csp);
+        $response->headers->set("Referrer-Policy", $referer);
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            KernelEvents::RESPONSE => 'onResponse'
+        ];
+    }
+}
\ No newline at end of file