diff --git a/src/lib/express.ts b/src/lib/express.ts
index de14616..849f85f 100644
--- a/src/lib/express.ts
+++ b/src/lib/express.ts
@@ -13,6 +13,8 @@ const redisStore = require('express-brute-redis');
 export function setBasicSecurity(app: Application, route: string, options: SecurityOptions = {}): void {
   app.use(route, helmet(Object.assign({}, defaults.helmetOptions, options.helmet)));
   app.use(route, cors(Object.assign({}, defaults.corsOptions, options.cors)));
+  // SAFARI BUGFIX: include credentials
+  app.use((_req, res, next) => { res.set('credentials', 'include'); next(); });
 }
 
 /**
diff --git a/tests/lib/express.test.ts b/tests/lib/express.test.ts
index 377889f..b84256b 100644
--- a/tests/lib/express.test.ts
+++ b/tests/lib/express.test.ts
@@ -23,6 +23,9 @@ describe('Express', () => {
       expect(headers).toHaveProperty('x-download-options');
       expect(headers).toHaveProperty('strict-transport-security');
 
+      // Safari bugfix for sessions
+      expect(headers).toHaveProperty('credentials', 'include');
+
       // cors
       expect(headers).toHaveProperty('access-control-allow-origin');
     });