diff --git a/src/webserver.js b/src/webserver.js
index 9df560345e82..61329d46e641 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -164,14 +164,7 @@ function setupExpressApp(app) {
 		saveUninitialized: nconf.get('sessionSaveUninitialized') || false,
 	}));
 
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
-	if (meta.config['hsts-enabled']) {
-		app.use(helmet.hsts({
-			maxAge: meta.config['hsts-maxage'],
-			includeSubDomains: !!meta.config['hsts-subdomains'],
-			preload: !!meta.config['hsts-preload'],
-		}));
-	}
+	setupHelmet(app);
 
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
@@ -183,6 +176,27 @@ function setupExpressApp(app) {
 	toobusy.interval(meta.config.eventLoopInterval);
 }
 
+function setupHelmet(app) {
+	app.use(helmet.dnsPrefetchControl());
+	app.use(helmet.expectCt());
+	app.use(helmet.frameguard());
+	app.use(helmet.hidePoweredBy());
+	app.use(helmet.ieNoOpen());
+	app.use(helmet.noSniff());
+	app.use(helmet.permittedCrossDomainPolicies());
+	app.use(helmet.xssFilter());
+
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
+	if (meta.config['hsts-enabled']) {
+		app.use(helmet.hsts({
+			maxAge: meta.config['hsts-maxage'],
+			includeSubDomains: !!meta.config['hsts-subdomains'],
+			preload: !!meta.config['hsts-preload'],
+		}));
+	}
+}
+
+
 function setupFavicon(app) {
 	var faviconPath = meta.config['brand:favicon'] || 'favicon.ico';
 	faviconPath = path.join(nconf.get('base_dir'), 'public', faviconPath.replace(/assets\/uploads/, 'uploads'));