diff --git a/src/http-transport.ts b/src/http-transport.ts
index f3b67f9..0284a12 100644
--- a/src/http-transport.ts
+++ b/src/http-transport.ts
@@ -106,6 +106,25 @@ export class HttpTransport {
       next();
     });
 
+    // Security: Standard security headers
+    this.app.use((req: Request, res: Response, next: NextFunction) => {
+      // Prevent clickjacking
+      res.setHeader('X-Frame-Options', 'DENY');
+      // Prevent MIME type sniffing
+      res.setHeader('X-Content-Type-Options', 'nosniff');
+      // Content Security Policy
+      res.setHeader('Content-Security-Policy', "default-src 'self'");
+
+      // Strict Transport Security (HSTS)
+      // Skip for localhost development to avoid browser issues
+      const isLocalhost = req.hostname === 'localhost' || req.hostname === '127.0.0.1';
+      if (!isLocalhost) {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+      }
+
+      next();
+    });
+
     // DNS rebinding protection when binding to localhost
     // Deny requests with mismatched Host headers to prevent DNS rebinding attacks
     // Applies when server host is localhost/127.0.0.1, regardless of auth configuration