diff --git a/regulations/settings/base.py b/regulations/settings/base.py
index 5e71ebb21..94a10cd66 100644
--- a/regulations/settings/base.py
+++ b/regulations/settings/base.py
@@ -117,18 +117,32 @@
 ]
 
 
-# Note order:
-# https://docs.djangoproject.com/en/1.8/topics/cache/#the-per-site-cache
+# Order from
+# https://docs.djangoproject.com/en/1.9/ref/middleware/#middleware-ordering
 MIDDLEWARE_CLASSES = (
+    'django.middleware.security.SecurityMiddleware',
     'django.middleware.cache.UpdateCacheMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.cache.FetchFromCacheMiddleware',
 )
 
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
 ROOT_URLCONF = 'regulations.urls'
 
 INSTALLED_APPS = (
+    # Note: no admin
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
     'django.contrib.staticfiles',
     'regulations.apps.RegulationsConfig',
 )