diff --git a/install/package.json b/install/package.json
index 82f349de5e..7e769d5f4b 100644
--- a/install/package.json
+++ b/install/package.json
@@ -43,6 +43,7 @@
         "express-session": "^1.15.6",
         "express-useragent": "1.0.8",
         "graceful-fs": "^4.1.11",
+        "helmet": "^3.11.0",
         "html-to-text": "3.3.0",
         "ipaddr.js": "^1.5.4",
         "jimp": "0.2.28",
diff --git a/src/middleware/headers.js b/src/middleware/headers.js
index d63f163d7c..035608eab6 100644
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -11,7 +11,6 @@ module.exports = function (middleware) {
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
-			'Referrer-Policy': 'strict-origin-when-cross-origin',	// consider using helmet?
 		};
 
 		if (meta.config['access-control-allow-origin']) {
diff --git a/src/webserver.js b/src/webserver.js
index c4c97fd058..639f2af667 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -17,6 +17,7 @@ var cookieParser = require('cookie-parser');
 var session = require('express-session');
 var useragent = require('express-useragent');
 var favicon = require('serve-favicon');
+var helmet = require('helmet');
 
 var db = require('./database');
 var file = require('./file');
@@ -171,6 +172,8 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));
 
+	app.use(helmet());
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);