diff --git a/lemoncurry/settings/base.py b/lemoncurry/settings/base.py
index fcbb1d0..b973a26 100644
--- a/lemoncurry/settings/base.py
+++ b/lemoncurry/settings/base.py
@@ -27,6 +27,31 @@ DEBUG = True
 
 ALLOWED_HOSTS = []
 
+# Settings to tighten up security - these can safely be on in dev mode too,
+# since I dev using a local HTTPS server.
+
+# Strict-Transport-Security: max out everything, we never want to serve
+# anything over insecure HTTP.
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
+# Only allow cookies to be sent from the client over secure HTTP.
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+# Miscellanous headers to protect against attacks.
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+X_FRAME_OPTIONS = 'DENY'
+
+# This technically isn't needed, since nginx doesn't let the app be accessed
+# over insecure HTTP anyway. Just for completeness!
+SECURE_SSL_REDIRECT = True
+
+# We run behind nginx, so we need nginx to tell us whether we're using HTTPS or
+# not.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 # Application definition