diff --git a/files/__main__.py b/files/__main__.py
index 71ebbc0e6b..1eb2518c5c 100644
--- a/files/__main__.py
+++ b/files/__main__.py
@@ -213,9 +213,11 @@ def before_request():
 	g.timestamp = int(time.time())
 
 	#do not access session for static files
-	if request.path.startswith("/assets"): return
+	if not request.path.startswith("/assets"):
+		session.permanent = True
 
-	session.permanent = True
+		if not session.get("session_id"):
+			session["session_id"] = secrets.token_hex(16)
 
 	ua_banned, response_tuple = get_useragent_ban_response(
 		request.headers.get("User-Agent", "NoAgent"))
@@ -227,9 +229,6 @@ def before_request():
 		url = request.url.replace("http://", "https://", 1)
 		return redirect(url, code=301)
 
-	if not session.get("session_id"):
-		session["session_id"] = secrets.token_hex(16)
-
 	ua=request.headers.get("User-Agent","")
 	if "CriOS/" in ua:
 		g.system="ios/chrome"
@@ -256,10 +255,16 @@ def after_request(response):
 		print(e)
 		abort(500)
 
+	response.headers.add("Strict-Transport-Security", "max-age=31536000")
+	response.headers.add("Referrer-Policy", "same-origin")
+
+	response.headers.add("Feature-Policy", "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';")
+	response.headers.add("X-Frame-Options", "deny")
+
 	return response
 
 
 @app.route("/<path:path>", subdomain="www")
 def www_redirect(path):
 
-	return redirect(f"https://{app.config['SERVER_NAME']}/{path}")
\ No newline at end of file
+	return redirect(f"https://{app.config['SERVER_NAME']}/{path}")