diff --git a/package.json b/package.json
index 4eb68a23..5b696a1d 100644
--- a/package.json
+++ b/package.json
@@ -53,6 +53,7 @@
     "passport": "^0.4.0",
     "passport-local": "^1.0.0",
     "redis": "^2.8.0",
+    "referrer-policy": "^1.1.0",
     "request": "^2.88.0",
     "socket.io": "^2.2.0",
     "socket.io-redis": "^5.2.0",
diff --git a/server/apps/admin.js b/server/apps/admin.js
index 97b7fc25..e5cfe653 100644
--- a/server/apps/admin.js
+++ b/server/apps/admin.js
@@ -30,7 +30,34 @@ mongoose.connect(url);
 
 app.engine('handlebars', hbs.engine);
 app.set('view engine', 'handlebars');
+app.use(compression({filter: shouldCompress}))
+
+function shouldCompress (req, res) {
+  if (req.headers['x-no-compression']) {
+    // don't compress responses with this request header
+    return false;
+  }
+
+  // fallback to standard filter function
+  return compression.filter(req, res);
+}
 app.set('trust proxy', '127.0.0.1');
+
+var bodyParser = require('body-parser');
+var cookieParser = require("cookie-parser");
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
+app.use(helmet({
+  frameguard: false,
+  features: {
+    fullscreen: ["'self'"],
+    vibrate: ["'none'"],
+    payment: ['none'],
+    syncXhr: ["'*'"],
+	notifications: ["'self'"]
+  }
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.enable('view cache');
 app.set('views', publicPath);
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
diff --git a/server/apps/client.js b/server/apps/client.js
index 4e448e43..97d44172 100755
--- a/server/apps/client.js
+++ b/server/apps/client.js
@@ -63,10 +63,12 @@ app.set('trust proxy', '127.0.0.1');
 
 var bodyParser = require('body-parser');
 var cookieParser = require("cookie-parser");
-var helmet = require('helmet')
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
 app.use(helmet({
   frameguard: false
 }));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
 app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
 	extended: true