diff --git a/ietf/settings.py b/ietf/settings.py
index ff7c97112..74307adec 100644
--- a/ietf/settings.py
+++ b/ietf/settings.py
@@ -357,7 +357,10 @@ MIDDLEWARE = (
     'ietf.middleware.SMTPExceptionMiddleware',
     'ietf.middleware.Utf8ExceptionMiddleware',
     'ietf.middleware.redirect_trailing_period_middleware',
+    'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
+    'csp.middleware.CSPMiddleware',
     'ietf.middleware.unicode_nfkc_normalization_middleware',
 )
 
@@ -465,6 +468,22 @@ CORS_ORIGIN_ALLOW_ALL = True
 CORS_ALLOW_METHODS = ( 'GET', 'OPTIONS', )
 CORS_URLS_REGEX = r'^(/api/.*|.*\.json|.*/json/?)$'
 
+# Setting for django_referrer_policy.middleware.ReferrerPolicyMiddleware
+REFERRER_POLICY = 'strict-origin-when-cross-origin'
+
+# Content security policy configuration (django-csp)
+CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "data: https://datatracker.ietf.org/ https://www.ietf.org/")
+
+# django.middleware.security.SecurityMiddleware 
+SECURE_BROWSER_XSS_FILTER       = True
+SECURE_CONTENT_TYPE_NOSNIFF     = True
+SECURE_HSTS_INCLUDE_SUBDOMAINS  = True
+#SECURE_HSTS_PRELOAD             = True             # Enable after testing
+SECURE_HSTS_SECONDS             = 3600
+#SECURE_REDIRECT_EXEMPT
+#SECURE_SSL_HOST 
+#SECURE_SSL_REDIRECT             = True
+
 # Override this in your settings_local with the IP addresses relevant for you:
 INTERNAL_IPS = (
 # local
diff --git a/requirements.txt b/requirements.txt
index dc8b4d66d..5dbdf5624 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -13,10 +13,13 @@ defusedxml>=0.4.1		# for TastyPie when ussing xml; not a declared dependency
 Django>=1.11,!=1.11.18,<1.12	# 1.11.18 has problems exporting BinaryField from django.db.models
 django-bcrypt>=0.9.2		# for the BCrypt password hasher option.  Remove when all bcrypt upgraded to argon2
 django-bootstrap3>=8.2.1,<9.0.0
+django-csp>=3.5
 django-cors-headers>=2.4.0
+django-feature-policy>=2.0
 django-formtools>=1.0		# instead of django.contrib.formtools in 1.8
 django-markup>=1.1
 django-password-strength>=1.2.1
+django-referrer-policy>=1.0
 django-simple-history>=2.3.0
 django-tastypie>=0.13.2
 django-widget-tweaks>=1.3