diff --git a/CHANGELOG.md b/CHANGELOG.md
index a67fdc19..7276c84e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
   * **1.4 (not yet released)**
     * ADDED: Translation for Estonian
+    * ADDED: new HTTP headers improving security (#765)
   * **1.3.5 (2021-04-05)**
     * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan
     * ADDED: Make the project info configurable (#681)
diff --git a/lib/Controller.php b/lib/Controller.php
index 38fc09d9..bc23a52a 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -346,10 +346,13 @@ class Controller
         header('Last-Modified: ' . $time);
         header('Vary: Accept');
         header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
+        header('Cross-Origin-Resource-Policy: same-origin');
+        header('Cross-Origin-Embedder-Policy: require-corp');
+        header('Cross-Origin-Opener-Policy: same-origin');
         header('Referrer-Policy: no-referrer');
-        header('X-Xss-Protection: 1; mode=block');
-        header('X-Frame-Options: DENY');
         header('X-Content-Type-Options: nosniff');
+        header('X-Frame-Options: deny');
+        header('X-XSS-Protection: 1; mode=block');
 
         // label all the expiration options
         $expire = array();