diff --git a/next.config.mjs b/next.config.mjs
index 56e1e69..3c2cec6 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -1,4 +1,4 @@
-const SUPABASE_URL = process.env.NEXT_PUBLIC_SUPABASE_URL_SOURCE;
+const SUPABASE_URL = new URL(`https://${process.env.NEXT_PUBLIC_SUPABASE_URL_SOURCE}`).hostname;
 
 const nextConfig = {
   reactStrictMode: true,
@@ -38,5 +38,55 @@ const nextConfig = {
       },
     ],
   },
+
+  async headers() {
+    return [
+      {
+        source: "/:path*",
+        headers: [
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "X-XSS-Protection",
+            value: "1; mode=block",
+          },
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=63072000; includeSubDomains; preload",
+          },
+          {
+            key: "Permissions-Policy",
+            value: "geolocation=(), microphone=(), camera=()",
+          },
+          {
+            key: "Content-Security-Policy",
+            value: `
+              default-src 'self';
+              script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com;
+              style-src 'self' 'unsafe-inline' fonts.googleapis.com;
+              img-src 'self' data: https://${SUPABASE_URL} https://upload.wikimedia.org https://avatars.githubusercontent.com https://assets.republic.com https://media.licdn.com;
+              font-src 'self' fonts.gstatic.com;
+              connect-src 'self' https://${SUPABASE_URL};
+              frame-ancestors 'none';
+              object-src 'none';
+            `
+              .replace(/\s{2,}/g, " ")
+              .trim(),
+          },
+        ],
+      },
+    ];
+  },
 };
+
 export default nextConfig;