diff --git a/CHANGELOG.md b/CHANGELOG.md
index 22c03989..6792c02a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added the caching for current market prices
 - Added a loading indicator to the import dividends dialog
+- Set up the `helmet` middleware to protect the app from web vulnerabilities by setting HTTP headers
 
 ### Changed
 
@@ -1118,7 +1119,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added support to change the appearance (dark mode) in user settings
 - Added the total amount chart to the investment timeline
-- Setup the `prettier` plugin `prettier-plugin-organize-attributes`
+- Set up the `prettier` plugin `prettier-plugin-organize-attributes`
 
 ### Changed
 
diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 91d030de..0d4117a7 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -1,7 +1,9 @@
 import { Logger, ValidationPipe, VersioningType } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { NestFactory } from '@nestjs/core';
+import type { NestExpressApplication } from '@nestjs/platform-express';
 import * as bodyParser from 'body-parser';
+import helmet from 'helmet';
 
 import { AppModule } from './app/app.module';
 import { environment } from './environments/environment';
@@ -10,11 +12,12 @@ async function bootstrap() {
   const configApp = await NestFactory.create(AppModule);
   const configService = configApp.get<ConfigService>(ConfigService);
 
-  const app = await NestFactory.create(AppModule, {
+  const app = await NestFactory.create<NestExpressApplication>(AppModule, {
     logger: environment.production
       ? ['error', 'log', 'warn']
       : ['debug', 'error', 'log', 'verbose', 'warn']
   });
+
   app.enableCors();
   app.enableVersioning({
     defaultVersion: '1',
@@ -32,6 +35,8 @@ async function bootstrap() {
   // Support 10mb csv/json files for importing activities
   app.use(bodyParser.json({ limit: '10mb' }));
 
+  app.use(helmet());
+
   const BASE_CURRENCY = configService.get<string>('BASE_CURRENCY');
   const HOST = configService.get<string>('HOST') || '0.0.0.0';
   const PORT = configService.get<number>('PORT') || 3333;
diff --git a/package.json b/package.json
index 7336b670..de433687 100644
--- a/package.json
+++ b/package.json
@@ -105,6 +105,7 @@
     "date-fns": "2.29.3",
     "envalid": "7.3.1",
     "google-spreadsheet": "3.2.0",
+    "helmet": "7.0.0",
     "http-status-codes": "2.2.0",
     "ionicons": "7.1.0",
     "lodash": "4.17.21",
diff --git a/yarn.lock b/yarn.lock
index 9ce07122..aea07db0 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10720,6 +10720,11 @@ heap@^0.2.6:
   resolved "https://registry.yarnpkg.com/heap/-/heap-0.2.7.tgz#1e6adf711d3f27ce35a81fe3b7bd576c2260a8fc"
   integrity sha512-2bsegYkkHO+h/9MGbn6KWcE45cHZgPANo5LXF7EvWdT0yT2EguSVO1nDgU5c8+ZOPwp2vMNa7YFsJhVcDR9Sdg==
 
+helmet@7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.0.0.tgz#ac3011ba82fa2467f58075afa58a49427ba6212d"
+  integrity sha512-MsIgYmdBh460ZZ8cJC81q4XJknjG567wzEmv46WOBblDb6TUd3z8/GhgmsM9pn8g2B80tAJ4m5/d3Bi1KrSUBQ==
+
 hmac-drbg@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"