diff --git a/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java b/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java
index 7edb5dc25..5b61dd2bb 100644
--- a/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java
+++ b/app/src/main/java/gov/hhs/cdc/trustedintermediary/external/javalin/App.java
@@ -52,6 +52,7 @@ public static void main(String[] args) {
                 ctx -> {
                     ctx.header("X-Content-Type-Options", "nosniff");
                     // Fix for https://www.zaproxy.org/docs/alerts/90004
+                    ctx.header("Cross-Origin-Resource-Policy", "same-origin");
                 });
 
         try {