diff --git a/next.config.mjs b/next.config.mjs
index 66cde4fd..7566b4d1 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -7,7 +7,31 @@ const nextConfig = {
       bodySizeLimit: '2mb'
     }
   },
-  output: 'standalone'
+  output: 'standalone',
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          { key: "X-Content-Type-Options", value: "nosniff" },
+          { key: "X-Frame-Options", value: "DENY" },
+          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
+          {
+            key: "Content-Security-Policy",
+            value: [
+              "default-src 'self'",
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // Next.js requires unsafe-inline/eval in dev
+              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+              "font-src 'self' https://fonts.gstatic.com",
+              "img-src 'self' data: blob:",
+              "connect-src 'self'",
+              "frame-ancestors 'none'",
+            ].join("; "),
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default nextConfig;
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 48806f7e..facac821 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -89,7 +89,7 @@ function createOAuthProviders(): OAuthConfig<any>[] {
       authorization: config.oauth.authorizationUrl ?? undefined,
       token: config.oauth.tokenUrl ?? undefined,
       userinfo: config.oauth.userinfoUrl ?? undefined,
-      checks: ["state"],
+      checks: ["pkce", "state"],
       profile(profile) {
         return {
           id: profile.sub ?? profile.id,