diff --git a/src/server/middleware/security-headers.ts b/src/server/middleware/security-headers.ts
new file mode 100644
index 00000000..be9588bc
--- /dev/null
+++ b/src/server/middleware/security-headers.ts
@@ -0,0 +1,27 @@
+/**
+ * Factory returning express-style middleware that sets standard security headers.
+ * Registered by 1I when wiring middleware into Modern.js config.
+ */
+export function securityHeadersMiddleware() {
+  return (
+    _req: unknown,
+    res: { setHeader(name: string, value: string): void },
+    next: () => void,
+  ): void => {
+    res.setHeader(
+      "Strict-Transport-Security",
+      "max-age=63072000; includeSubDomains; preload",
+    );
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "SAMEORIGIN");
+    res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+    res.setHeader(
+      "Permissions-Policy",
+      "geolocation=(), camera=(), microphone=()",
+    );
+    res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+    res.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
+
+    next();
+  };
+}