diff --git a/requirements.d/all.txt b/requirements.d/all.txt
index 21ba795..86afe67 100644
--- a/requirements.d/all.txt
+++ b/requirements.d/all.txt
@@ -3,6 +3,7 @@ dnspython
 netaddr
 django~=1.11.0
 django-bootstrap-form
+django-referrer-policy
 django-registration-redux
 django-extensions
 social-auth-app-django
diff --git a/setup.py b/setup.py
index 73e98ec..9171705 100644
--- a/setup.py
+++ b/setup.py
@@ -33,6 +33,7 @@ setup(
         'netaddr',
         'django>=1.11.0',
         'django-bootstrap-form',
+        'django-referrer-policy',
         'django-registration-redux',
         'django-extensions',
         'social-auth-app-django',
diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py
index 84ee44c..f5a4d28 100644
--- a/src/nsupdate/settings/base.py
+++ b/src/nsupdate/settings/base.py
@@ -167,10 +167,12 @@ MIDDLEWARE = (
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
+    'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'social_django.middleware.SocialAuthExceptionMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
 )
 
 ROOT_URLCONF = 'nsupdate.urls'
@@ -272,13 +274,16 @@ LOGIN_REDIRECT_URL = '/overview/'
 LOGOUT_REDIRECT_URL = '/'
 
 X_FRAME_OPTIONS = 'DENY'  # for clickjacking middleware
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+REFERRER_POLICY = 'same-origin'
 
 CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view'
 
 # Settings for CSRF cookie.
 CSRF_COOKIE_NAME = 'csrftoken'
 CSRF_COOKIE_PATH = '/'
-CSRF_COOKIE_HTTPONLY = False
+CSRF_COOKIE_HTTPONLY = True
 
 # Settings for session cookie.
 SESSION_COOKIE_NAME = 'sessionid'