diff --git a/app/main.py b/app/main.py
index d710690..37de9ef 100644
--- a/app/main.py
+++ b/app/main.py
@@ -133,7 +133,12 @@ class CustomMiddleware:
                 # TODO(ts): disallow inline CSS?
                 headers[
                     "content-security-policy"
-                ] = "default-src 'self' style-src 'unsafe-inline';"
+                ] = "default-src 'self'; style-src 'self' 'unsafe-inline';"
+                headers["permissions-policy"] = (
+                    "geolocation=(), midi=(), camera=(), usb=(), "
+                    "magnetometer=(), accelerometer=(), vr=(), speaker=(), "
+                    "ambient-light-sensor=(), gyroscope=(), microphone=()"
+                )
                 if not DEBUG:
                     headers[
                         "strict-transport-security"