diff --git a/apps/setup_2fa.php b/apps/setup_2fa.php
index 3193e06..a4abb2f 100644
--- a/apps/setup_2fa.php
+++ b/apps/setup_2fa.php
@@ -24,8 +24,15 @@ if (userHasTOTP($_SESSION['username'])) {
     $codesecret = $totp->getSecret();
     $chunk_secret = trim(chunk_split($codesecret, 8, ' '));
     $APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan 2fa qrcode", false) . '</div>' . <<<END
+<style nonce="$SECURE_NONCE">
+.mono-chunk {
+    text-align: center;
+    font-size: 110%;
+    font-family: monospace;
+}
+</style>
 <img src="$qrcode" class="img-responsive qrcode" />
-<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_secret</div>
+<div class="well well-sm mono-chunk">$chunk_secret</div>
 <form action="action.php" method="POST">
     <input type="hidden" name="action" value="add2fa" />
     <input type="hidden" name="source" value="security" />
diff --git a/apps/sync_mobile.php b/apps/sync_mobile.php
index f354aab..87ad14d 100644
--- a/apps/sync_mobile.php
+++ b/apps/sync_mobile.php
@@ -52,19 +52,29 @@ if (MOBILE_ENABLED) {
                 . lang("scan sync qrcode", false)
                 . '</div>'
                 . <<<END
+<style nonce="$SECURE_NONCE">
+.margintop-15px {
+    margin-top: 15px;
+}
+.mono-chunk {
+    text-align: center;
+    font-size: 110%;
+    font-family: monospace;
+}
+</style>
 <img src="$qrcode" class="img-responsive qrcode" />
-<div class="panel panel-default" style="margin-top: 15px;">
+<div class="panel panel-default margintop-15px">
 <div class="panel-body">
 END
                 . "<b>" . lang("manual setup", false) . "</b><br /><label>" . lang("username", false) . ":</label>"
-                . '<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">' . $_SESSION['username'] . '</div>'
+                . '<div class="well well-sm mono-chunk">' . $_SESSION['username'] . '</div>'
                 . "<label>" . lang("sync key", false) . "</label>"
                 . <<<END
-<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div>
+<div class="well well-sm mono-chunk">$chunk_code</div>
 END
                 . "<label>" . lang("url", false) . "</label>"
                 . <<<END
-<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div>
+<div class="well well-sm mono-chunk">$url</div>
 </div>
 </div>
 <a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
@@ -78,19 +88,23 @@ END;
         $content .= "<div class='list-group'>";
         if (count($activecodes) > 0) {
             foreach ($activecodes as $c) {
-                $content .= "<div class='list-group-item mobilekey'><span style='font-family: Ubuntu Mono,monospace; flex-shrink: 0'>" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>";
+                $content .= "<div class='list-group-item mobilekey'><span id=\"mobilecode\">" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>";
             }
         } else {
             $content .= "<div class='list-group-item'>" . lang("no active codes", false) . "</div>";
         }
         $content .= "</div>";
         $content .= <<<END
-            <style>
+            <style nonce="$SECURE_NONCE">
                 .mobilekey {
                     display: flex;
                     flex-wrap: wrap;
                     justify-content: space-between;
                 }
+                .mobilekey #mobilecode {
+                    font-family: Ubuntu Mono,monospace;
+                    flex-shrink: 0;
+                }
             </style>
 END;
         $APPS["sync_mobile"]["content"] = $content;
diff --git a/home.php b/home.php
index d5b7f7b..16a077a 100644
--- a/home.php
+++ b/home.php
@@ -67,7 +67,7 @@ if (!is_empty($_GET['page'])) {
                                 }
                                 ?>
                                 <a class="navbar-brand" href="home.php">
-                                    <img style="height: 35px; padding-bottom: 12px; padding-left: 5px;" src="<?php echo $src; ?>" />
+                                    <img src="<?php echo $src; ?>" />
                                 </a>
                                 <?php
                             }
@@ -116,7 +116,7 @@ if (!is_empty($_GET['page'])) {
             <?php
             if (MENU_BAR_STYLE == "fixed") {
                 ?>
-                <div style="height: 75px;"></div>
+                <div class="pad-75px"></div>
                 <?php
             }
             ?>
diff --git a/mobile/index.php b/mobile/index.php
index 1afb987..a6d78c5 100644
--- a/mobile/index.php
+++ b/mobile/index.php
@@ -97,6 +97,7 @@ switch ($VARS['action']) {
             if (get_account_status($username) == "NORMAL") {
                 if (authenticate_user($username, $VARS['password'], $autherror)) {
                     doLoginUser($username, $VARS['password']);
+                    $_SESSION['mobile'] = true;
                     exit(json_encode(["status" => "OK"]));
                 }
             }
diff --git a/required.php b/required.php
index 916dde1..a252d6c 100644
--- a/required.php
+++ b/required.php
@@ -10,7 +10,11 @@ header('Content-Type: text/html; charset=utf-8');
 // l33t $ecurity h4x
 header('X-Content-Type-Options: nosniff');
 header('X-XSS-Protection: 1; mode=block');
-header('X-Powered-By: Late-night coding frenzies (plz send caffeine, thx)');
+header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
+header('X-Frame-Options: "DENY"');
+header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
+$SECURE_NONCE = base64_encode(random_bytes(8));
+
 
 $session_length = 60 * 60; // 1 hour
 session_set_cookie_params($session_length, "/", null, false, false);
@@ -18,6 +22,30 @@ session_set_cookie_params($session_length, "/", null, false, false);
 session_start(); // stick some cookies in it
 //// renew session cookie
 setcookie(session_name(), session_id(), time() + $session_length);
+
+if ($_SESSION['mobile'] === TRUE) {
+    header("Content-Security-Policy: "
+            . "default-src 'self';"
+            . "object-src 'none'; "
+            . "img-src * data:; "
+            . "media-src 'self'; "
+            . "frame-src 'none'; "
+            . "font-src 'self'; "
+            . "connect-src *; "
+            . "style-src 'self' 'unsafe-inline'; "
+            . "script-src 'self' 'unsafe-inline'");
+} else {
+    header("Content-Security-Policy: "
+            . "default-src 'self';"
+            . "object-src 'none'; "
+            . "img-src * data:; "
+            . "media-src 'self'; "
+            . "frame-src 'none'; "
+            . "font-src 'self'; "
+            . "connect-src *; "
+            . "style-src 'self' 'nonce-$SECURE_NONCE'; "
+            . "script-src 'self' 'nonce-$SECURE_NONCE'");
+}
 //
 // Composer
 require __DIR__ . '/vendor/autoload.php';
@@ -30,7 +58,21 @@ require __DIR__ . '/lang/messages.php';
 require __DIR__ . '/lang/' . LANGUAGE . ".php";
 
 function sendError($error) {
-    die("<!DOCTYPE html><html><head><title>Error</title></head><body><h1 style='color: red; font-family: sans-serif; font-size:100%;'>" . htmlspecialchars($error) . "</h1></body></html>");
+    global $SECURE_NONCE;
+    die("<!DOCTYPE html>"
+            . "<meta charset=\"UTF-8\">"
+            . "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
+            . "<title>Error</title>"
+            . "<style nonce=\"" . $SECURE_NONCE . "\">"
+            . "h1 {color: red; font-family: sans-serif; font-size: 20px; margin-bottom: 0px;} "
+            . "h2 {font-family: sans-serif; font-size: 16px;} "
+            . "p {font-family: monospace; font-size: 14px; width: 100%; wrap-style: break-word;} "
+            . "i {font-size: 12px;}"
+            . "</style>"
+            . "<h1>A fatal application error has occurred.</h1>"
+            . "<i>(This isn't your fault.)</i>"
+            . "<h2>Details:</h2>"
+            . "<p>". htmlspecialchars($error) . "</p>");
 }
 
 date_default_timezone_set(TIMEZONE);
diff --git a/static/css/app.css b/static/css/app.css
index f4a1902..583e814 100644
--- a/static/css/app.css
+++ b/static/css/app.css
@@ -9,6 +9,16 @@
     font-size: 110%;
 }
 
+.navbar-brand img {
+    height: 35px;
+    padding-bottom: 12px;
+    padding-left: 5px;
+}
+
+.pad-75px {
+    height: 75px;
+}
+
 .footer {
     margin-top: 10em;
     text-align: center;