diff --git a/controller/Controller.class.php b/controller/Controller.class.php
index d28799e3..31f83c89 100644
--- a/controller/Controller.class.php
+++ b/controller/Controller.class.php
@@ -13,7 +13,18 @@ class Controller
       $viewParameters = isset($viewAndParams[1]) ? $viewAndParams[1] : [];
       $headers = isset($viewAndParams[2]) ? $viewAndParams[2] : [];
 
-      static::sendHeaders($headers);
+      $defaultHeaders = [
+        'Content-Security-Policy' => "frame-ancestors 'none'",
+        'X-Frame-Options' => 'DENY',
+        'X-XSS-Protection'=> '1',
+      ];
+
+      if (IS_PRODUCTION)
+      {
+        $defaultHeaders['Strict-Transport-Security'] = 'max-age=31536000';
+      }
+
+      static::sendHeaders(array_merge($defaultHeaders, $headers));
 
       if ($viewTemplate === null)
       {
diff --git a/controller/Session.class.php b/controller/Session.class.php
index 711895a1..bebd861b 100644
--- a/controller/Session.class.php
+++ b/controller/Session.class.php
@@ -18,7 +18,10 @@ class Session
 
   public static function init()
   {
-    session_start();
+    session_start([
+      'cookie_secure' => IS_PRODUCTION, // cookie over ssl only
+      'cookie_httponly' => true, // no js access
+    ]);
   }
 
   public static function get($key, $default = null)
diff --git a/controller/action/DownloadActions.class.php b/controller/action/DownloadActions.class.php
index e0a518de..a7829452 100644
--- a/controller/action/DownloadActions.class.php
+++ b/controller/action/DownloadActions.class.php
@@ -76,7 +76,7 @@ class DownloadActions extends Actions
 
     if (!$email || !filter_var($email, FILTER_VALIDATE_EMAIL))
     {
-      Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . $email);
+      Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . htmlspecialchars($email));
     }
     else
     {