diff --git a/python/nav/django/settings.py b/python/nav/django/settings.py
index 1847ec24ca..4d7c6ea68c 100644
--- a/python/nav/django/settings.py
+++ b/python/nav/django/settings.py
@@ -29,6 +29,7 @@
 from nav.db import get_connection_parameters
 import nav.buildconf
 from nav.jwtconf import JWTConf
+from nav.web.security import WebSecurityConfigParser
 
 ALLOWED_HOSTS = ['*']
 
@@ -252,6 +253,20 @@
     'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
 ]
 
+# Web security options supported by Django
+# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
+# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
+# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
+# Example conf:
+#  [security]
+#  ssl = on
+
+SECURE_BROWSER_XSS_FILTER = True  # Does no harm
+
+_websecurity_config = WebSecurityConfigParser()
+_tls_enabled = bool(_websecurity_config.getboolean('security', 'tls'))
+SESSION_COOKIE_SECURE = _tls_enabled
+
 # Hack for hackers to use features like debug_toolbar etc.
 # https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
 if _config_dir:
diff --git a/python/nav/etc/webfront/webfront.conf b/python/nav/etc/webfront/webfront.conf
index 302aaa1774..05ca2a3c2a 100644
--- a/python/nav/etc/webfront/webfront.conf
+++ b/python/nav/etc/webfront/webfront.conf
@@ -130,3 +130,6 @@ enabled = no
 # Some remote user systems need to be visited *after* NAV has logged the user
 # out. The default/unset value is "/"
 #post-logout-redirect-url=/magic/logout?nexthop=/
+
+[security]
+# tls = off
diff --git a/python/nav/web/security.py b/python/nav/web/security.py
new file mode 100644
index 0000000000..815d2f162d
--- /dev/null
+++ b/python/nav/web/security.py
@@ -0,0 +1,11 @@
+from pathlib import Path
+
+from nav.config import NAVConfigParser
+
+
+class WebSecurityConfigParser(NAVConfigParser):
+    DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
+    DEFAULT_CONFIG = u"""
+[security]
+tls=off
+"""