diff --git a/package.json b/package.json
index a9567df7..96f1e39e 100644
--- a/package.json
+++ b/package.json
@@ -101,7 +101,8 @@
     "stripe": "^18.3.0",
     "swagger-ui-express": "^5.0.1",
     "typeorm": "^0.3.28",
-    "uuid": "^11.1.0"
+    "uuid": "^11.1.0",
+    "helmet": "^8.0.0"
   },
   "devDependencies": {
     "@commitlint/cli": "^19.0.0",
diff --git a/src/main.ts b/src/main.ts
index 028e8780..4b014843 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -13,6 +13,7 @@ import { LoggingInterceptor } from './common/interceptors/logging.interceptor';
 import { correlationMiddleware } from './common/utils/correlation.utils';
 import { sessionConfig } from './config/cache.config';
 import { SESSION_REDIS_CLIENT } from './session/session.constants';
+import helmet from 'helmet';
 
 async function bootstrapWorker() {
   const logger = new Logger('Bootstrap');
@@ -21,6 +22,17 @@ async function bootstrapWorker() {
   // Create the application with dynamic module loading
   const app = await NestFactory.create(await AppModule.forRoot(), { rawBody: true });
 
+  // ─── Security Headers ─────────────────────────────────────────────────────
+  app.use(
+    helmet({
+      hsts: {
+        maxAge: 31536000,
+        includeSubDomains: true,
+        preload: true,
+      },
+    }),
+  );
+
   const redisClient = app.get<Redis>(SESSION_REDIS_CLIENT);
 
   if (sessionConfig.trustProxy) {