diff --git a/app/controllers/welcome_controller.rb b/app/controllers/welcome_controller.rb
index df5026416b3..7b1ebc82be4 100644
--- a/app/controllers/welcome_controller.rb
+++ b/app/controllers/welcome_controller.rb
@@ -1,5 +1,6 @@
 class WelcomeController < ApplicationController
   skip_before_action :require_login
+  before_action :set_cookie_attributes, only: [:index]
 
   def show_hints
     current_user.hints = !current_user.hints
@@ -12,4 +13,11 @@ def index; end
   def form_template
     # created for generic form template access at '/templates/form-template'
   end
+
+  private
+
+  def set_cookie_attributes
+    response.headers['Set-Cookie'] = "_session_id=#{session.id}; SameSite=Strict; Secure=true; HttpOnly"
+    response.headers['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+  end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index e9643298b08..f451d1b3908 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -50,7 +50,7 @@
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
diff --git a/spec/controllers/welcome_controller_spec.rb b/spec/controllers/welcome_controller_spec.rb
index 13a18442a61..cd407084817 100644
--- a/spec/controllers/welcome_controller_spec.rb
+++ b/spec/controllers/welcome_controller_spec.rb
@@ -12,6 +12,12 @@
       it "renders welcome index" do
         expect(response).to render_template("index")
       end
+
+      it "has Cookie attributes" do
+        expect(response.headers["Set-Cookie"]).to match(/SameSite=Strict/)
+        expect(response.headers["Set-Cookie"]).to match(/HttpOnly/)
+        expect(response.headers["Strict-Transport-Security"]).to match(/max-age=31536000; includeSubDomains; preload/)
+      end
     end
 
     context "when not signed in" do
@@ -59,4 +65,4 @@
     get :index
     expect(response).to have_http_status(:success)
   end
-end
\ No newline at end of file
+end