diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f1b32a533..1737f929a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -29,6 +29,9 @@ jobs:
           git clone https://github.com/open-contracting/ocds-extensions-translations.git
           ocdsextensionregistry generate-data-file --locale-dir ocds-extensions-translations/locale > extension_explorer/data/extensions.json
           python freeze.py
+          echo "/*
+            Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https://use.fontawesome.com; img-src 'self' data: https:; font-src 'self' https://use.fontawesome.com https://use.typekit.net; object-src 'none'; worker-src 'none';
+            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload" > extension_explorer/build/_headers
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3
         with: