diff --git a/servers/cu/package-lock.json b/servers/cu/package-lock.json
index a0370ba2e..5be5178ce 100644
--- a/servers/cu/package-lock.json
+++ b/servers/cu/package-lock.json
@@ -16,6 +16,7 @@
         "debug": "^4.3.4",
         "express": "^4.18.2",
         "heapdump": "^0.3.15",
+        "helmet": "^7.1.0",
         "hyper-async": "^1.1.2",
         "lru-cache": "^10.1.0",
         "ms": "^2.1.3",
@@ -768,6 +769,14 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/helmet": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz",
+      "integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
     "node_modules/http-errors": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
@@ -2608,6 +2617,11 @@
         "nan": "^2.13.2"
       }
     },
+    "helmet": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz",
+      "integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg=="
+    },
     "http-errors": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
diff --git a/servers/cu/package.json b/servers/cu/package.json
index 7cd740fe4..c501e8915 100644
--- a/servers/cu/package.json
+++ b/servers/cu/package.json
@@ -21,6 +21,7 @@
     "debug": "^4.3.4",
     "express": "^4.18.2",
     "heapdump": "^0.3.15",
+    "helmet": "^7.1.0",
     "hyper-async": "^1.1.2",
     "lru-cache": "^10.1.0",
     "ms": "^2.1.3",
diff --git a/servers/cu/src/app.js b/servers/cu/src/app.js
index e22cb5c34..af2ac70d0 100644
--- a/servers/cu/src/app.js
+++ b/servers/cu/src/app.js
@@ -3,6 +3,7 @@ import heapdump from 'heapdump'
 import { pipe } from 'ramda'
 import express from 'express'
 import cors from 'cors'
+import helmet from 'helmet'
 
 import { logger } from './logger.js'
 import { config } from './config.js'
@@ -12,6 +13,7 @@ export const server = pipe(
   /**
    * Allows us to download heapdumps, if created
    */
+  (app) => app.use(helmet()),
   (app) => app.use(express.static(config.DUMP_PATH)),
   (app) => app.use(cors()),
   (app) => app.use(express.json({ type: 'application/json' })),