from aiohttp import web

@web.middleware
async def security_headers_middleware(request, handler):
    """Add security headers."""
    response = await handler(request)
    response.headers.update({
        "Content-Security-Policy": "default-src 'self'",
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "Referrer-Policy": "no-referrer",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
    })
    return response