diff -r 4bb38d03e430 -r 40e125004a0b src/hdalab/settings.py
--- a/src/hdalab/settings.py	Thu Apr 02 22:52:54 2015 +0200
+++ b/src/hdalab/settings.py	Fri Apr 03 02:22:15 2015 +0200
@@ -134,6 +134,8 @@
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.security.SecurityMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware'
 )
 
 
@@ -195,6 +197,12 @@
 HONEYPOT_FIELD_NAME='phone'
 ENVELOPE_SUBJECT_INTRO='[hdalab contact]'
 
+X_FRAME_OPTIONS='DENY'
+SESSION_COOKIE_SECURE=False
+SECURE_CONTENT_TYPE_NOSNIFF=True
+SECURE_BROWSER_XSS_FILTER=True
+CSRF_COOKIE_SECURE=False
+
 from hdalab.config import * #@UnusedWildImport
 
 if 'LOGIN_REDIRECT_URL' not in locals():