diff --git a/nginx/baton.conf b/nginx/baton.conf
index e148729..8afbf2f 100644
--- a/nginx/baton.conf
+++ b/nginx/baton.conf
@@ -91,9 +91,27 @@ server {
         proxy_connect_timeout 5s;
     }
 
+    # ---------------------------------------------------------------------------
+    # Security headers
+    # IMPORTANT: must be repeated in every location block that uses add_header,
+    # because nginx does not inherit parent add_header when child block defines its own.
+    # ---------------------------------------------------------------------------
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options DENY always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+
     # Статика фронтенда (SPA)
     location / {
         root       /opt/baton/frontend;
         try_files  $uri /index.html;
+        expires    1h;
+        # Security headers repeated here because add_header in location blocks
+        # overrides parent-level add_header directives (nginx inheritance rule)
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Frame-Options DENY always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+        add_header Cache-Control "public" always;
     }
 }