diff --git a/app.js b/app.js
index 35fb17521..8129070a3 100644
--- a/app.js
+++ b/app.js
@@ -65,8 +65,10 @@ if (process.env.NODE_ENV === 'production') {
     helmet({
       // in production these headers are set by ingress.open-cluster-management.io
       frameguard: false,
-      noSniff: true,
-      xssFilter: true
+      hsts: {
+        maxAge:            63072000,
+        preload:           true
+      }
     })
   )
 
@@ -81,13 +83,6 @@ if (process.env.NODE_ENV === 'production') {
   app.use('*', morgan('dev'))
 }
 
-app.use((req, res, next) => {
-  res.removeHeader('X-Frame-Options')
-  res.removeHeader('X-Content-Type-Options')
-  res.removeHeader('X-Xss-Protection')
-  next()
-})
-
 const csrfMiddleware = csurf({
   cookie: {
     httpOnly: false,