diff --git a/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml b/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml
new file mode 100644
index 00000000..ecd318f5
--- /dev/null
+++ b/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml
@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    The following headers were added as additional default (and static) values.
+    `X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
+    `Content-Security-Policy "default-src 'self' https: wss:;"`.  Additionally,
+    the `X-Frame-Options DENY` header was added, defaulting to DENY.  You may
+    override the header via the `keystone_x_frame_options` variable.
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 53383480..a04037b1 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -12,6 +12,11 @@ Listen {{ keystone_service_port }}
     CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
     Options +FollowSymLinks
 
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-XSS-Protection "1; mode=block"
+    Header set Content-Security-Policy "default-src 'self' https: wss:;"
+    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
+
     {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
     SSLEngine on
     SSLCertificateFile    {{ keystone_ssl_cert }}
@@ -75,6 +80,7 @@ Listen {{ keystone_admin_port }}
     CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
     Options +FollowSymLinks
 
+
     {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
     SSLEngine on
     SSLCertificateFile    {{ keystone_ssl_cert }}
diff --git a/templates/keystone_nginx.conf.j2 b/templates/keystone_nginx.conf.j2
index 492f2ea4..736a4232 100644
--- a/templates/keystone_nginx.conf.j2
+++ b/templates/keystone_nginx.conf.j2
@@ -22,6 +22,11 @@ server {
     access_log  /var/log/nginx/{{ item }}-access.log custom;
     error_log   /var/log/nginx/{{ item }}-error.log info;
 
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Content-Security-Policy "default-src 'self' https: wss:;";
+    add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};
+
     location / {
         try_files   $uri @yourapplication;
     }
diff --git a/vars/suse-42.yml b/vars/suse-42.yml
index 4abc8de6..90c5fedf 100644
--- a/vars/suse-42.yml
+++ b/vars/suse-42.yml
@@ -87,6 +87,8 @@ keystone_apache_modules:
     state: "present"
   - name: "proxy_uwsgi"
     state: "present"
+  - name: "headers"
+    state: "present"
 
 keystone_nginx_conf_path: 'conf.d'
 
diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml
index 17de72b9..ae548ec1 100644
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@@ -77,6 +77,8 @@ keystone_apache_modules:
     state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
   - name: "proxy_http"
     state: "present"
+  - name: "headers"
+    state: "present"
 
 keystone_nginx_conf_path: "sites-available"