diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index 97d1b2a85..46352aba8 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -15,17 +15,24 @@ import (
 	"github.com/pomerium/pomerium/internal/version"
 )
 
+// CSPHeaders adds content security headers for authenticate's handlers
+var CSPHeaders = map[string]string{
+	"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
+	"Referrer-Policy":         "Same-origin",
+}
+
 // Handler returns the authenticate service's HTTP request multiplexer, and routes.
 func (a *Authenticate) Handler() http.Handler {
 	// validation middleware chain
-	validate := middleware.NewChain()
-	validate = validate.Append(middleware.ValidateSignature(a.SharedKey))
+	c := middleware.NewChain()
+	c = c.Append(middleware.SetHeaders(CSPHeaders))
+	validate := c.Append(middleware.ValidateSignature(a.SharedKey))
 	validate = validate.Append(middleware.ValidateRedirectURI(a.RedirectURL))
 	mux := http.NewServeMux()
-	mux.HandleFunc("/robots.txt", a.RobotsTxt)
+	mux.Handle("/robots.txt", c.ThenFunc(a.RobotsTxt))
 	// Identity Provider (IdP) callback endpoints and callbacks
-	mux.HandleFunc("/start", a.OAuthStart)
-	mux.HandleFunc("/oauth2/callback", a.OAuthCallback)
+	mux.Handle("/start", c.ThenFunc(a.OAuthStart))
+	mux.Handle("/oauth2/callback", c.ThenFunc(a.OAuthCallback))
 	// authenticate-server endpoints
 	mux.Handle("/sign_in", validate.ThenFunc(a.SignIn))
 	mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // GET POST
diff --git a/cmd/pomerium/options.go b/cmd/pomerium/options.go
index 5fb1186b5..6a27bd520 100644
--- a/cmd/pomerium/options.go
+++ b/cmd/pomerium/options.go
@@ -68,8 +68,6 @@ var defaultOptions = &Options{
 		"X-Frame-Options":           "SAMEORIGIN",
 		"X-XSS-Protection":          "1; mode=block",
 		"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
-		"Content-Security-Policy":   "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
-		"Referrer-Policy":           "Same-origin",
 	},
 }
 
diff --git a/docs/docs/certificates.md b/docs/docs/certificates.md
index 681581754..43c7168b8 100644
--- a/docs/docs/certificates.md
+++ b/docs/docs/certificates.md
@@ -20,7 +20,7 @@ It should be noted that there are countless ways of building and managing [publi
 
 ::: warning
 
-LetsEncrypt certificates certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html).
+LetsEncrypt certificates must be renewed [every 90 days](https://letsencrypt.org/2015/11/09/why-90-days.html).
 
 :::