diff --git a/Docker/nginx.conf b/Docker/nginx.conf
index 5910ccf..5efa829 100644
--- a/Docker/nginx.conf
+++ b/Docker/nginx.conf
@@ -10,6 +10,15 @@ server {
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
     gzip_min_length 256;
 
+    # ── Security headers ─────────────────────────────────────
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+    # Uncomment when HTTPS is fully configured:
+    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
     # ── API reverse proxy → backend container ─────────────────
     location /api/ {
         proxy_pass         http://backend:8000;
diff --git a/Docs/Architekture.md b/Docs/Architekture.md
index 64bdca7..0ca8112 100644
--- a/Docs/Architekture.md
+++ b/Docs/Architekture.md
@@ -829,6 +829,27 @@ Request → /api/typos
 
 ---
 
+## 9.2a nginx Security Headers
+
+nginx adds the following OWASP-recommended security headers to all responses:
+
+| Header | Value | Purpose |
+|---|---|---|
+| **Content-Security-Policy** | `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';` | Prevents XSS attacks by restricting script execution to same-origin. `style-src 'unsafe-inline'` is required for Fluent UI v9's inline styles. |
+| **X-Frame-Options** | `DENY` | Prevents clickjacking by disallowing iframe embedding. |
+| **X-Content-Type-Options** | `nosniff` | Prevents MIME-sniffing; browsers must respect the declared Content-Type. |
+| **Referrer-Policy** | `no-referrer` | Prevents leaking internal URLs in the `Referer` header to third-party resources. |
+| **Permissions-Policy** | `geolocation=(), microphone=(), camera=()` | Disables access to browser APIs not needed by the application. |
+| **Strict-Transport-Security** | *Commented out* | Must only be enabled after HTTPS is fully configured. Uncomment when TLS termination is production-ready. |
+
+All headers use the `always` directive, ensuring they are included in error responses (4xx, 5xx) as well.
+
+### CSP and Fluent UI
+
+Fluent UI v9 applies styles via inline `style` attributes on DOM elements. To support this, `style-src 'unsafe-inline'` is required. A stricter CSP using nonces would require server-side rendering of the HTML shell, which is outside the current architecture.
+
+---
+
 ## 9.3 Deployment Constraints
 
 ### Single-Worker Requirement