diff --git a/customHttp.yml b/customHttp.yml
index 9e866dc7f7f..63a5d5028a2 100644
--- a/customHttp.yml
+++ b/customHttp.yml
@@ -12,6 +12,10 @@ customHeaders:
         value: '1; mode=block'
       - key: 'X-Content-Type-Options'
         value: 'nosniff'
+      - key: 'Cache-Control'
+        value: 'no-store, no-cache'
+      - key: 'Pragma'
+        value: 'no-cache'
       - key: 'Content-Security-Policy'
-        value: 'upgrade-insecure-requests;'
+        value: "upgrade-insecure-requests; frame-ancestors 'none';"
       # CSP also set in _document.tsx meta tag
diff --git a/src/pages/_document.tsx b/src/pages/_document.tsx
index 51c80b46482..538069d06df 100644
--- a/src/pages/_document.tsx
+++ b/src/pages/_document.tsx
@@ -62,6 +62,8 @@ const getCspContent = (context) => {
   if (process.env.BUILD_ENV !== 'production') {
     return `
       default-src 'none';
+      object-src 'none';
+      base-uri 'none';
       style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
       font-src 'self' data:;
       frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -85,6 +87,8 @@ const getCspContent = (context) => {
   // Have to keep track of CSP inside customHttp.yml as well
   return `
     default-src 'none';
+    object-src 'none';
+    base-uri 'none';
     style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
     font-src 'self';
     frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -102,6 +106,7 @@ const getCspContent = (context) => {
     script-src 'self' ${cspInlineScriptHash} ${ANALYTICS_CSP.prod.script.join(
       ' '
     )} ${ANALYTICS_CSP.all.script.join(' ')};
+    require-trusted-types-for 'script';
   `;
 };