diff --git a/app/app/settings.py b/app/app/settings.py
index fef95bd4e77..2322ccbab27 100644
--- a/app/app/settings.py
+++ b/app/app/settings.py
@@ -78,6 +78,7 @@
 
 # Application definition
 INSTALLED_APPS = [
+    'csp',
     'corsheaders',
     'django.contrib.admin',
     'taskapp.celery.CeleryConfig',
@@ -152,6 +153,7 @@
 ]
 
 MIDDLEWARE = [
+    'csp.middleware.CSPMiddleware',
     'corsheaders.middleware.CorsMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -738,6 +740,9 @@ def callback(request):
 if not AWS_S3_OBJECT_PARAMETERS:
     AWS_S3_OBJECT_PARAMETERS = {'CacheControl': f'max-age={AWS_S3_CACHE_MAX_AGE}', }
 
+CSP_DEFAULT_SRC = False
+CSP_FRAME_ANCESTORS = 'self'
+
 CORS_ORIGIN_ALLOW_ALL = False
 CORS_ORIGIN_WHITELIST = ('sumo.com', 'load.sumo.com', 'googleads.g.doubleclick.net', 'gitcoin.co', 'github.com',)
 CORS_ORIGIN_WHITELIST = CORS_ORIGIN_WHITELIST + (AWS_S3_CUSTOM_DOMAIN, MEDIA_CUSTOM_DOMAIN,)
diff --git a/requirements/base.txt b/requirements/base.txt
index 67f735e52a4..769a4a00426 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -5,6 +5,7 @@ cryptography==2.3
 celery==4.4.0
 django-celery-beat==1.1.1
 django==2.2.4
+django-csp==3.7
 django-cors-headers==2.4.0
 django-filter==2.0.0
 django-haystack