diff --git a/.htaccess b/.htaccess
index 06584dc..5fe5c71 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,5 @@
 # Kirby .htaccess
-# revision 2022-09-15
+# revision 2023-07-22
 
 # rewrite rules
 <IfModule mod_rewrite.c>
@@ -55,3 +55,13 @@ AddOutputFilterByType DEFLATE application/json
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/x-javascript
 </IfModule>
+
+# set security headers in all responses
+<IfModule mod_headers.c>
+
+# serve files as plain text if the actual content type is not known
+# (hardens against attacks from malicious file uploads)
+Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"
+Header set X-Content-Type-Options "nosniff"
+
+</IfModule>