diff --git a/dpaste/migrations/0004_auto_20180107_1603.py b/dpaste/migrations/0004_auto_20180107_1603.py
new file mode 100644
index 0000000..2b8e92e
--- /dev/null
+++ b/dpaste/migrations/0004_auto_20180107_1603.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.9 on 2018-01-07 16:03
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dpaste', '0003_snippet_highlighted'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='snippet',
+            name='lexer',
+            field=models.CharField(default='python', max_length=30, verbose_name='Lexer'),
+        ),
+    ]
diff --git a/dpaste/settings/base.py b/dpaste/settings/base.py
index cc89dd9..89675cb 100644
--- a/dpaste/settings/base.py
+++ b/dpaste/settings/base.py
@@ -70,15 +70,11 @@ LOCALE_PATHS = (
 )
 
 #==============================================================================
-# Static files
+# Project URLS and media settings
 #==============================================================================
 
 STATIC_ROOT = os.path.join(VAR_ROOT, 'static')
 
-#==============================================================================
-# Project URLS and media settings
-#==============================================================================
-
 STATIC_URL = '/static/'
 ADMIN_MEDIA_PREFIX = '/static/admin/'
 
@@ -92,14 +88,22 @@ LOGIN_REDIRECT_URL = '/'
 # Templates
 #==============================================================================
 
-MIDDLEWARE_CLASSES = (
+MIDDLEWARE_CLASSES = [
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-)
+    'django.middleware.security.SecurityMiddleware',
+    'csp.middleware.CSPMiddleware',
+]
 
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_BROWSER_XSS_FILTER =True
+SECURE_CONTENT_TYPE_NOSNIFF = True
 
 TEMPLATES = [
     {
diff --git a/dpaste/settings/local.py.example b/dpaste/settings/local.py.example
index 00716ba..6c3b1e6 100644
--- a/dpaste/settings/local.py.example
+++ b/dpaste/settings/local.py.example
@@ -19,3 +19,10 @@ DATABASES = {
 SECRET_KEY = 'changeme'
 
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+INSTALLED_APPS += ('sslserver',)
+
+# Disable for local development
+if not 'runsslserver' in sys.argv:
+    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = False