diff --git a/services/web/app/coffee/infrastructure/Server.coffee b/services/web/app/coffee/infrastructure/Server.coffee
index c0fabe1554..39fc3c131b 100644
--- a/services/web/app/coffee/infrastructure/Server.coffee
+++ b/services/web/app/coffee/infrastructure/Server.coffee
@@ -153,6 +153,9 @@ webRouter.use (req, res, next) ->
 		dnsPrefetchControl: false
 		referrerPolicy: { policy: 'origin-when-cross-origin' }
 		noCache: isLoggedIn || isProjectPage
+		noSniff: false
+		hsts: false
+		frameguard: false
 	})(req, res, next)
 
 profiler = require "v8-profiler"
diff --git a/services/web/test/acceptance/coffee/SecurityHeadersTests.coffee b/services/web/test/acceptance/coffee/SecurityHeadersTests.coffee
index 3202f124c1..f3fddf4b07 100644
--- a/services/web/test/acceptance/coffee/SecurityHeadersTests.coffee
+++ b/services/web/test/acceptance/coffee/SecurityHeadersTests.coffee
@@ -5,9 +5,6 @@ request = require('./helpers/request')
 
 assert_has_common_headers = (response) ->
 	headers = response.headers
-	assert.equal(headers['x-frame-options'], 'SAMEORIGIN')
-	assert.equal(headers['strict-transport-security'], 'max-age=15552000; includeSubDomains')
-	assert.equal(headers['x-content-type-options'], 'nosniff')
 	assert.equal(headers['x-download-options'], 'noopen')
 	assert.equal(headers['x-xss-protection'], '1; mode=block')
 	assert.equal(headers['referrer-policy'], 'origin-when-cross-origin')