diff --git a/local-cli/server/middleware/MiddlewareManager.js b/local-cli/server/middleware/MiddlewareManager.js
index 8692abdcc..c565f6810 100644
--- a/local-cli/server/middleware/MiddlewareManager.js
+++ b/local-cli/server/middleware/MiddlewareManager.js
@@ -17,6 +17,7 @@ const WebSocketServer = require('ws').Server;
 
 const indexPageMiddleware = require('./indexPage');
 const copyToClipBoardMiddleware = require('./copyToClipBoardMiddleware');
+const getSecurityHeadersMiddleware =  require('./getSecurityHeadersMiddleware');
 const loadRawBodyMiddleware = require('./loadRawBodyMiddleware');
 const openStackFrameInEditorMiddleware = require('./openStackFrameInEditorMiddleware');
 const statusPageMiddleware = require('./statusPageMiddleware');
@@ -44,6 +45,7 @@ module.exports = class MiddlewareManager {
 
     this.options = options;
     this.app = connect()
+      .use(getSecurityHeadersMiddleware)
       .use(loadRawBodyMiddleware)
       .use(compression())
       .use('/debugger-ui', serveStatic(debuggerUIFolder))
diff --git a/local-cli/server/middleware/getSecurityHeadersMiddleware.js b/local-cli/server/middleware/getSecurityHeadersMiddleware.js
new file mode 100644
index 000000000..ab14cd18b
--- /dev/null
+++ b/local-cli/server/middleware/getSecurityHeadersMiddleware.js
@@ -0,0 +1,27 @@
+/**
+ * Copyright (c) 2013-present, Facebook, Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @strict
+ * @format
+ */
+
+module.exports = function(req, res, next) {
+  const address = req.client.server.address();
+
+  // Block any cross origin request.
+  if (
+    req.headers.origin &&
+    req.headers.origin !== `http://localhost:${address.port}`
+  ) {
+    next(new Error('Unauthorized'));
+    return;
+  }
+
+  // Block MIME-type sniffing.
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+
+  next();
+};