diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf
index dd2e803..a3727d7 100644
--- a/nextcloud/nginx.conf
+++ b/nextcloud/nginx.conf
@@ -127,7 +127,7 @@ http {
 
             # Let Nextcloud's API for `/.well-known` URIs handle all other
             # requests by passing them to the front-end controller.
-            return 301 https://$host:443/index.php$request_uri; 
+            return 301 https://$host:443/index.php$request_uri;
         }
 
         # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -164,12 +164,12 @@ http {
 
         # Javascript mimetype fixes for nginx
         # Note: The block below should be removed, and the js|mjs section should be
-        # added to the block below this one. This is a temporary fix until Nginx 
+        # added to the block below this one. This is a temporary fix until Nginx
         # upstream fixes the js mime-type
         location ~* \.(?:js|mjs)$ {
-            types { 
+            types {
                 text/javascript js mjs;
-            } 
+            }
             default_type "text/javascript";
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
@@ -177,9 +177,15 @@ http {
         }
 
         # Serve static files
-        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Cache-Control "public, max-age=15778463$asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 1670926..262e603 100755
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -15,7 +15,6 @@ services:
       - ${STORAGE_PATH}/caddy/data:/data
       - ${STORAGE_PATH}/caddy/config:/config
       - ${WWW_PATH}:/usr/share/caddy:ro
-
     environment:
       - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
       - NETCUP_API_KEY=${NETCUP_API_KEY}