diff --git a/src/app.js b/src/app.js
index 1ec144a..9636fff 100644
--- a/src/app.js
+++ b/src/app.js
@@ -80,17 +80,25 @@ app.use(function *(next) {
 
 // Set HTTP response headers
 app.use(function *(next) {
+  // HSTS
   if (util.isTrue(config.server.httpsUpgrade)) {
     this.set('Strict-Transport-Security', 'max-age=16070400');
   }
+  // HPKP
   if (config.server.httpsKeyPin && config.server.httpsKeyPinBackup) {
     this.set('Public-Key-Pins', 'pin-sha256="' + config.server.httpsKeyPin + '"; pin-sha256="' + config.server.httpsKeyPinBackup + '"; max-age=16070400');
   }
+  // CSP
+  this.set('Content-Security-Policy', "default-src 'self'; object-src 'none'");
+  // Prevent rendering website in foreign iframe (Clickjacking)
+  this.set('X-Frame-Options', 'DENY');
+  // CORS
   this.set('Access-Control-Allow-Origin', '*');
   this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
   this.set('Access-Control-Allow-Headers', 'Content-Type');
   this.set('Cache-Control', 'no-cache');
   this.set('Connection', 'keep-alive');
+
   yield next;
 });
 
diff --git a/src/static/demo.html b/src/static/demo.html
index 6f8a8d7..be4283c 100644
--- a/src/static/demo.html
+++ b/src/static/demo.html
@@ -40,7 +40,7 @@
         <div class="col-lg-12">
           <h2>OpenPGP key lookup</h2>
           <form action="/pks/lookup" method="get">
-            <input type="radio" name="op" value="get" checked="checked" style="display: none">
+            <input class="hidden" type="radio" name="op" value="get" checked="checked">
             <div class="input-group input-group-lg">
               <input class="form-control" name="search" type="text" spellcheck="false" placeholder="Email address or Key ID e.g. 0x11A1A9C84B18732F" required>
               <span class="input-group-btn">