diff --git a/config/env/default.js b/config/env/default.js
index 2edd28ec33..735dd0adb2 100644
--- a/config/env/default.js
+++ b/config/env/default.js
@@ -28,6 +28,19 @@ module.exports = {
   // for obsecurity reasons
   sessionKey: 'sessionId',
   sessionCollection: 'sessions',
+  // Lusca config
+  csrf: {
+    csrf: false,
+    csp: { /* Content Security Policy object */},
+    xframe: 'SAMEORIGIN',
+    p3p: 'ABCDEF',
+    hsts: {
+      maxAge: 31536000, // Forces HTTPS for one year
+      includeSubDomains: true,
+      preload: true
+    },
+    xssProtection: true
+  },
   logo: 'modules/core/client/img/brand/logo.png',
   favicon: 'modules/core/client/img/brand/favicon.ico',
   uploads: {
diff --git a/config/lib/express.js b/config/lib/express.js
index 53ca6418c9..2f7e1515e2 100644
--- a/config/lib/express.js
+++ b/config/lib/express.js
@@ -17,7 +17,8 @@ var config = require('../config'),
   helmet = require('helmet'),
   flash = require('connect-flash'),
   consolidate = require('consolidate'),
-  path = require('path');
+  path = require('path'),
+  lusca = require('lusca');
 
 /**
  * Initialize local variables
@@ -122,6 +123,9 @@ module.exports.initSession = function (app, db) {
       collection: config.sessionCollection
     })
   }));
+
+  // Add Lusca CSRF Middleware
+  app.use(lusca(config.csrf));
 };
 
 /**
@@ -228,7 +232,7 @@ module.exports.init = function (db) {
 
   // Initialize Express view engine
   this.initViewEngine(app);
-  
+
   // Initialize Helmet security headers
   this.initHelmetHeaders(app);
 
diff --git a/package.json b/package.json
index 1af5d135c5..39ec3c5b8d 100644
--- a/package.json
+++ b/package.json
@@ -43,6 +43,7 @@
     "helmet": "~0.9.1",
     "jasmine-core": "~2.3.4",
     "lodash": "~3.10.0",
+    "lusca": "~1.3.0",
     "method-override": "~2.3.3",
     "mocha": "~2.4.5",
     "mongoose": "~4.2.3",