diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index da3c5092b910..004549679159 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -17,15 +17,12 @@ class Kernel extends HttpKernel
         \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
-        \App\Http\Middleware\FrameGuard::class,
-        \App\Http\Middleware\XssProtectHeader::class,
-        \App\Http\Middleware\ReferrerPolicyHeader::class,
-        \App\Http\Middleware\ContentSecurityPolicyHeader::class,
-        \App\Http\Middleware\NosniffGuard::class,
         \Fideloper\Proxy\TrustProxies::class,
         \App\Http\Middleware\CheckForSetup::class,
         \App\Http\Middleware\CheckForDebug::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
+        \App\Http\Middleware\SecurityHeaders::class,
+
     ];
 
     /**
diff --git a/app/Http/Middleware/FrameGuard.php b/app/Http/Middleware/FrameGuard.php
deleted file mode 100644
index beb19f20f128..000000000000
--- a/app/Http/Middleware/FrameGuard.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-namespace App\Http\Middleware;
-
-use Closure;
-
-class FrameGuard
-{
-    /**
-     * Handle the given request and get the response.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     * @return \Illuminate\Http\Response
-     */
-    public function handle($request, Closure $next)
-    {
-        $response = $next($request);
-        if (config('app.allow_iframing') == false) {
-            $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
-        }
-        return $response;
-
-    }
-}
diff --git a/app/Http/Middleware/NosniffGuard.php b/app/Http/Middleware/NosniffGuard.php
deleted file mode 100644
index 295f5e75afb1..000000000000
--- a/app/Http/Middleware/NosniffGuard.php
+++ /dev/null
@@ -1,21 +0,0 @@
-<?php
-namespace App\Http\Middleware;
-
-use Closure;
-
-class NosniffGuard
-{
-    /**
-     * Handle the given request and get the response.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     * @return \Illuminate\Http\Response
-     */
-    public function handle($request, Closure $next)
-    {
-        $response = $next($request);
-        $response->headers->set('X-Content-Type-Options', 'nosniff', false);
-        return $response;
-    }
-}
diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php
new file mode 100644
index 000000000000..8e0b5b945c45
--- /dev/null
+++ b/app/Http/Middleware/SecurityHeaders.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class SecurityHeaders
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+
+    // Enumerate headers which you do not want in your application's responses.
+    // Great starting point would be to go check out @Scott_Helme's:
+    // https://securityheaders.com/
+    private $unwantedHeaderList = [
+        'X-Powered-By',
+        'Server',
+    ];
+
+    public function handle($request, Closure $next)
+    {
+        $this->removeUnwantedHeaders($this->unwantedHeaderList);
+        $response = $next($request);
+        $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('X-XSS-Protection', '1; mode=block');
+        $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+
+        if (config('app.allow_iframing') == false) {
+            $response->headers->set('X-Frame-Options', 'DENY');
+        }
+
+        $policy[] = "default-src 'self'";
+        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
+        $policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
+        $policy[] = "connect-src 'self'";
+        $policy[] = "object-src 'none'";
+        $policy[] = "font-src 'self' data:";
+        $policy[] = "img-src 'self' data: gravatar.com";
+        $policy = join(';', $policy);
+        $response->headers->set('Content-Security-Policy', $policy);
+
+        return $response;
+    }
+
+    private function removeUnwantedHeaders($headerList)
+    {
+        foreach ($headerList as $header)
+            header_remove($header);
+    }
+}
diff --git a/app/Http/Middleware/XssProtectHeader.php b/app/Http/Middleware/XssProtectHeader.php
deleted file mode 100644
index 868d100f3788..000000000000
--- a/app/Http/Middleware/XssProtectHeader.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-namespace App\Http\Middleware;
-
-use Closure;
-
-class XssProtectHeader
-{
-    /**
-     * Handle the given request and get the response.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     * @return \Illuminate\Http\Response
-     */
-    public function handle($request, Closure $next)
-    {
-        $mode = '1;mode=block';
-        $response = $next($request);
-        $response->headers->set('X-XSS-Protection', $mode);
-        return $response;
-    }
-}