diff --git a/project/__init__.py b/project/__init__.py
index 7aaa0dd..fd23c83 100644
--- a/project/__init__.py
+++ b/project/__init__.py
@@ -63,6 +63,9 @@ if os.getenv("PREFERRED_URL_SCHEME"):  # pragma: no cover
 
     if app.config["PREFERRED_URL_SCHEME"] == "https":
         app.config["SESSION_COOKIE_SECURE"] = True
+        app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
+        app.config["REMEMBER_COOKIE_SECURE"] = True
+        app.config["REMEMBER_COOKIE_SAMESITE"] = "Lax"
 
 from project.reverse_proxied import ReverseProxied
 
diff --git a/project/requests.py b/project/requests.py
index 7fd8415..97712fa 100644
--- a/project/requests.py
+++ b/project/requests.py
@@ -17,6 +17,7 @@ def set_manage_admin_unit_cookie(response):
             value=encoded,
             expires=datetime.utcnow() + timedelta(days=365),
             secure=app.config["SESSION_COOKIE_SECURE"],
+            samesite=app.config["SESSION_COOKIE_SAMESITE"],
         )
 
     return response
@@ -29,7 +30,7 @@ def set_response_headers(response):
             response.headers["X-Frame-Options"] = "SAMEORIGIN"
 
     response.headers["X-Content-Type-Options"] = "nosniff"
-    response.headers["Referrer-Policy"] = "no-referrer"
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
     response.headers[
         "Content-Security-Policy"
     ] = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: *.openstreetmap.org;"
diff --git a/project/static/site.webmanifest b/project/static/site.webmanifest
index 45dc8a2..7c020ab 100644
--- a/project/static/site.webmanifest
+++ b/project/static/site.webmanifest
@@ -1 +1,19 @@
-{"name":"","short_name":"","icons":[{"src":"/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"}
\ No newline at end of file
+{
+  "name": "",
+  "short_name": "",
+  "icons": [
+    {
+      "src": "/static/android-chrome-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/static/android-chrome-512x512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    }
+  ],
+  "theme_color": "#ffffff",
+  "background_color": "#ffffff",
+  "display": "standalone"
+}
diff --git a/tests/views/test_root.py b/tests/views/test_root.py
index 634e6e7..1e9a239 100644
--- a/tests/views/test_root.py
+++ b/tests/views/test_root.py
@@ -8,7 +8,7 @@ def test_home(client, seeder, utils):
     response = utils.get_ok(url)
     assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
     assert response.headers["X-Content-Type-Options"] == "nosniff"
-    assert response.headers["Referrer-Policy"] == "no-referrer"
+    assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
     assert "Content-Security-Policy" in response.headers