diff --git a/python/nav/django/settings.py b/python/nav/django/settings.py
index 5e27110c6d..6aa03157b6 100644
--- a/python/nav/django/settings.py
+++ b/python/nav/django/settings.py
@@ -29,6 +29,7 @@
 from nav.db import get_connection_parameters
 import nav.buildconf
 from nav.jwtconf import JWTConf
+from nav.web.security import WebSecurityConfigParser
 
 ALLOWED_HOSTS = ['*']
 
@@ -254,6 +255,20 @@
     'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
 ]
 
+# Web security options supported by Django
+# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
+# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
+# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
+# Example conf:
+#  [security]
+#  ssl = on
+
+SECURE_BROWSER_XSS_FILTER = True  # Does no harm
+
+_websecurity_config = WebSecurityConfigParser()
+_tls_enabled = bool(_websecurity_config.getboolean('tls', False))
+SESSION_COOKIE_SECURE = _tls_enabled
+
 # Hack for hackers to use features like debug_toolbar etc.
 # https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
 if _config_dir:
diff --git a/python/nav/web/security.py b/python/nav/web/security.py
new file mode 100644
index 0000000000..c7d1f1a36b
--- /dev/null
+++ b/python/nav/web/security.py
@@ -0,0 +1,11 @@
+from pathlib import Path
+
+from nav.config import NAVConfigParser
+
+
+class WebSecurityConfigParser(NAVConfigParser):
+    DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
+    DEFAULT_CONFIG = u"""
+[security]
+tls=on
+"""