diff --git a/app/controllers/admin/background_jobs_controller.rb b/app/controllers/admin/background_jobs_controller.rb
index 338496013a02a61954e865b003eaa9daf0377f0f..7ccbe7c4232d99dfb2912e7f247a51deb437c3c8 100644
--- a/app/controllers/admin/background_jobs_controller.rb
+++ b/app/controllers/admin/background_jobs_controller.rb
@@ -2,5 +2,9 @@ class Admin::BackgroundJobsController < Admin::ApplicationController
   def show
     ps_output, _ = Gitlab::Popen.popen(%W(ps -U #{Gitlab.config.gitlab.user} -o pid,pcpu,pmem,stat,start,command))
     @sidekiq_processes = ps_output.split("\n").grep(/sidekiq/)
+
+    override_x_frame_options("SAMEORIGIN")
+
+    override_content_security_policy_directives(frame_ancestors: %w('self'))
   end
 end
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7ac4c7ace8e824d3158f2530cecea17a74793e39
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,38 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true, # mark all cookies as "Secure"
+    httponly: true, # mark all cookies as "HttpOnly"
+    samesite: {
+      strict: true # mark all cookies as SameSite=Strict
+    }
+  }
+  config.x_frame_options = "DENY"
+  config.x_content_type_options = "nosniff"
+  config.x_xss_protection = "1; mode=block"
+  config.x_download_options = "noopen"
+  config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = "origin-when-cross-origin"
+  config.csp = {
+    # "meta" values. these will shaped the header, but the values are not included in the header.
+    report_only: true,      # default: false
+    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+    # directive values: these values will directly translate into source directives
+    default_src: %w('none'),
+    frame_src: %w('self'),
+    connect_src: %w('self'),
+    font_src: %w('self'),
+    img_src: %w('self' www.gravatar.com secure.gravatar.com),
+    media_src: %w('none'),
+    object_src: %w('none'),
+    script_src: %w('unsafe-inline' 'unsafe-eval' 'self' maxcdn.bootstrapcdn.com),
+    style_src: %w('unsafe-inline' 'self'),
+    base_uri: %w('self'),
+    child_src: %w('self'),
+    form_action: %w('self'),
+    frame_ancestors: %w('none'),
+    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
+    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
+    report_uri: %w('')
+  }
+end