diff --git a/project/base_settings/auth_settings.py b/project/base_settings/auth_settings.py
index 9025f79..f20f729 100644
--- a/project/base_settings/auth_settings.py
+++ b/project/base_settings/auth_settings.py
@@ -90,8 +90,15 @@ def auth_from_env(auth):
 if _auth:
     INSTALLED_APPS.append('blti')
 
+    MIDDLEWARE.remove('django.middleware.clickjacking.XFrameOptionsMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.SessionHeaderMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.CSRFHeaderMiddleware')
+    MIDDLEWARE.insert(0, 'blti.middleware.SameSiteMiddleware')
+
+    # relax samesite (django-blti>=2.2.1),
+    # but protect cookies from casual snooping
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
 
     LTI_ENFORCE_SSL = parse_bool_from_str(os.getenv('LTI_ENFORCE_SSL', 'False'))