diff --git a/app/config.py b/app/config.py
index 2a4c099..e48ba4a 100644
--- a/app/config.py
+++ b/app/config.py
@@ -83,7 +83,7 @@ class Settings(BaseSettings):
     ssh_key: str = ""             # PEM private key content (paste full key including headers)
 
     # Application version — used by the /api/v1/updates/check endpoint
-    app_version: str = "1.0.0-26"
+    app_version: str = "1.0.0-27"
 
     # ---- Authentication (1.0.0-22) ----
     # session_secret: HMAC key for signing session cookies. Empty = generate
diff --git a/app/main.py b/app/main.py
index 99268a4..01c16c3 100644
--- a/app/main.py
+++ b/app/main.py
@@ -121,6 +121,52 @@ async def lifespan(app: FastAPI):
 app = FastAPI(title="TrueNAS Burn-In Dashboard", lifespan=lifespan)
 
 
+# ---------------------------------------------------------------------------
+# Defense-in-depth security headers
+# ---------------------------------------------------------------------------
+
+# CSP allows the CDNs we actively load:
+#   unpkg.com           — htmx + htmx-sse-extension
+#   cdnjs.cloudflare.com — qrcodejs (history print page)
+#   cdn.jsdelivr.net     — xterm.js (terminal tab, lazy-loaded)
+# 'unsafe-inline' is needed for inline <script> in settings.html and
+# inline <style> in job_print.html. Tighten via nonces later if you
+# care about CSP-level XSS hardening; for now relies on Jinja2's
+# autoescape + html.escape on all user-controlled fields.
+_CSP = " ".join([
+    "default-src 'self';",
+    "script-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net;",
+    "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net;",
+    "img-src 'self' data:;",
+    "font-src 'self' data:;",
+    "connect-src 'self' ws: wss:;",
+    "object-src 'none';",
+    "base-uri 'self';",
+    "form-action 'self';",
+    "frame-ancestors 'none';",
+])
+
+
+class _SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """Sets security headers that are cheap, effective, and never break
+    the page if you stick to same-origin. CSP is the meaningful one;
+    the others close small XSS / clickjacking / referrer-leak surfaces."""
+
+    async def dispatch(self, request: Request, call_next):
+        response = await call_next(request)
+        response.headers.setdefault("Content-Security-Policy", _CSP)
+        response.headers.setdefault("X-Content-Type-Options", "nosniff")
+        response.headers.setdefault("Referrer-Policy", "same-origin")
+        response.headers.setdefault("X-Frame-Options", "DENY")
+        # Permissions-Policy disables every feature we don't use. The
+        # empty allowlist syntax `()` = block for all origins.
+        response.headers.setdefault(
+            "Permissions-Policy",
+            "camera=(), microphone=(), geolocation=(), interest-cohort=()",
+        )
+        return response
+
+
 # ---------------------------------------------------------------------------
 # Auth gate — must be added BEFORE include_router so it runs first.
 # Path-prefix allowlist below covers anything we want reachable without
@@ -158,6 +204,7 @@ class _AuthGateMiddleware(BaseHTTPMiddleware):
         )
 
 
+app.add_middleware(_SecurityHeadersMiddleware)
 app.add_middleware(_AuthGateMiddleware)
 # SessionMiddleware must be added LAST (it wraps innermost so request.session
 # is populated before AuthGate runs).
diff --git a/app/routes.py b/app/routes.py
index 87ecce4..bff5e4c 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -298,6 +298,11 @@ async def login_submit(request: Request):
 
     user = found[0]
     auth.clear_login_failures(username, ip)
+    # Clear any pre-login session keys before populating the new identity.
+    # Closes session-fixation: if an attacker had somehow seeded the
+    # browser with a session cookie, this discards everything in it
+    # before issuing the new authenticated payload.
+    request.session.clear()
     request.session["user_id"]  = user.id
     request.session["username"] = user.username
     await auth.touch_last_login(user.id)
@@ -321,6 +326,9 @@ async def auth_first_user_setup(request: Request):
         user = await auth.create_user(username, password, full_name, is_admin=True)
     except ValueError as exc:
         raise HTTPException(status_code=400, detail=str(exc))
+    # Same fixation defense as the login flow — discard any pre-existing
+    # session payload before issuing the authenticated identity.
+    request.session.clear()
     request.session["user_id"]  = user.id
     request.session["username"] = user.username
     await auth.touch_last_login(user.id)