diff --git a/.env.example b/.env.example
index 9bc90e5ed2..35f2277b37 100644
--- a/.env.example
+++ b/.env.example
@@ -63,6 +63,7 @@ ENCRYPT=false
 COOKIE_NAME=snipeit_session
 COOKIE_DOMAIN=null
 SECURE_COOKIES=false
+REFERRER_POLICY=strict-origin
 
 
 # --------------------------------------------
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 44d6d521ba..f46813734b 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -19,6 +19,7 @@ class Kernel extends HttpKernel
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
         \App\Http\Middleware\FrameGuard::class,
         \App\Http\Middleware\XssProtectHeader::class,
+        \App\Http\Middleware\ReferrerPolicyHeader::class,
         \App\Http\Middleware\NosniffGuard::class,
         \App\Http\Middleware\CheckForSetup::class,
         \Fideloper\Proxy\TrustProxies::class,
diff --git a/app/Http/Middleware/ReferrerPolicyHeader.php b/app/Http/Middleware/ReferrerPolicyHeader.php
new file mode 100644
index 0000000000..430ce45af3
--- /dev/null
+++ b/app/Http/Middleware/ReferrerPolicyHeader.php
@@ -0,0 +1,21 @@
+<?php
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ReferrerPolicyHeader
+{
+    /**
+     * Handle the given request and get the response.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        $response = $next($request);
+        $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
+        return $response;
+    }
+}
diff --git a/app/Http/Middleware/XssProtectHeader.php b/app/Http/Middleware/XssProtectHeader.php
index dd99d2ed4d..45b9806802 100644
--- a/app/Http/Middleware/XssProtectHeader.php
+++ b/app/Http/Middleware/XssProtectHeader.php
@@ -14,8 +14,9 @@ class XssProtectHeader
      */
     public function handle($request, Closure $next)
     {
+        $mode = '1; mode=block';
         $response = $next($request);
-        $response->headers->set('X-XSS-Protection', '1');
+        $response->headers->set('X-XSS-Protection', $mode);
         return $response;
     }
 }
diff --git a/config/app.php b/config/app.php
index 5fbfc80739..451fd17de1 100755
--- a/config/app.php
+++ b/config/app.php
@@ -155,6 +155,21 @@ return [
     'allow_iframing' => env('ALLOW_IFRAMING', false),
 
 
+    /*
+    |--------------------------------------------------------------------------
+    | REFERRER-POLICY
+    |--------------------------------------------------------------------------
+    |
+    | This is an additional security header that browsers use to determine
+    | whether they should report back URL referrer information.
+    |
+    | Read more: https://www.w3.org/TR/referrer-policy/
+    |
+    */
+
+    'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
+
+
     /*
     |--------------------------------------------------------------------------
     | Demo Mode Lockdown