diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 2a0ce76bc39d8c96c009fdbb24b90ff5e1add84c..058919ee69c8121f6a5ad108dc726d5b865ede76 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -358,7 +358,12 @@
           --set controller.service.type=NodePort
           --set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
           --set controller.config.proxy-body-size=0
+          --set controller.config.hide-headers='x-jupyterhub-version'
           --set controller.allowSnippetAnnotations=false
+          --set controller.addHeaders.X-Content-Type-Options=nosniff
+          --set controller.addHeaders.Referrer-Policy=no-referrer
+          --set controller.addHeaders.Permissions-Policy="geolocation=()"
+          --set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'; report-uri /hub/security/csp-report; default-src 'self'"
           --version={{ version }}
       shell: |-
         helm status --namespace kube-system cluster-ingress