diff --git a/src/plugins/security.ts b/src/plugins/security.ts
new file mode 100644
index 0000000..06187a4
--- /dev/null
+++ b/src/plugins/security.ts
@@ -0,0 +1,21 @@
+import { FastifyInstance, FastifyPluginAsync } from 'fastify';
+import helmet from '@fastify/helmet';
+import cors from '@fastify/cors';
+import fp from 'fastify-plugin';
+import { getCorsOrigins } from '../config/env.js';
+
+const securityPlugin: FastifyPluginAsync = async (app: FastifyInstance) => {
+  await app.register(helmet, {
+    contentSecurityPolicy: false,
+    crossOriginEmbedderPolicy: false,
+  });
+
+  await app.register(cors, {
+    origin: getCorsOrigins(),
+    credentials: true,
+    methods: ['GET', 'POST', 'PATCH', 'DELETE', 'PUT', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization'],
+  });
+};
+
+export default fp(securityPlugin, { name: 'security' });