diff --git a/.htaccess b/.htaccess
index c6dda842..da2c029b 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,4 +1,15 @@
- 
 IndexIgnore *
 
 Options -Indexes
+
+# Basic security headers.
+# These defaults are intentionally conservative to avoid breaking common customizations.
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
+
+    # Prevent clickjacking on the OpenCATS UI.
+    # Note: /careers/ intentionally unsets this header in careers/.htaccess to allow embedding Career Portal into external websites using an iframe.
+    Header always set X-Frame-Options "SAMEORIGIN"
+</IfModule>
diff --git a/careers/.htaccess b/careers/.htaccess
new file mode 100644
index 00000000..6e06babf
--- /dev/null
+++ b/careers/.htaccess
@@ -0,0 +1,5 @@
+# The Career Portal might be embedded into external websites using an iframe.
+# Allow embedding by unsetting the clickjacking protection header that is set globally.
+<IfModule mod_headers.c>
+    Header always unset X-Frame-Options
+</IfModule>