diff --git a/validator/web/BUILD.bazel b/validator/web/BUILD.bazel
index dec83d0d9..0926ea59c 100644
--- a/validator/web/BUILD.bazel
+++ b/validator/web/BUILD.bazel
@@ -9,6 +9,7 @@ go_library(
         "doc.go",
         "handler.go",
         "log.go",
+        "headers.go",
         ":site_data",  # keep
     ],
     importpath = "github.com/prysmaticlabs/prysm/validator/web",
diff --git a/validator/web/handler.go b/validator/web/handler.go
index 1e11628a8..98e003e79 100644
--- a/validator/web/handler.go
+++ b/validator/web/handler.go
@@ -11,6 +11,7 @@ const prefix = "external/prysm_web_ui/prysm-web-ui"
 
 // Handler serves web requests from the bundled site data.
 var Handler = func(res http.ResponseWriter, req *http.Request) {
+	addSecurityHeaders(res)
 	u, err := url.ParseRequestURI(req.RequestURI)
 	if err != nil {
 		log.WithError(err).Error("Cannot parse request URI")
diff --git a/validator/web/headers.go b/validator/web/headers.go
new file mode 100644
index 000000000..5a8ed0b27
--- /dev/null
+++ b/validator/web/headers.go
@@ -0,0 +1,14 @@
+package web
+
+import "net/http"
+
+func addSecurityHeaders(w http.ResponseWriter) {
+	// Deny displaying the web UI in any iframe.
+	w.Header().Add("X-Frame-Options", "DENY")
+	// Prevent xss in case a malicious HTML markup is served in any page.
+	w.Header().Add("X-Content-Type-Options", "nosniff")
+	// Prevent opening site in pop-up window to exploit cross-site leaks.
+	w.Header().Add("Cross-Origin-Opener-Policy", "same-origin-allow-popups")
+	// Prevent embedding from another resource.
+	w.Header().Add("Cross-Origin-Resource-Policy", "same-origin")
+}