diff --git a/index.php b/index.php
index cad928d6..29b8686b 100644
--- a/index.php
+++ b/index.php
@@ -280,10 +280,14 @@ if ($action == 'login') {
 		$lastscript = "";
 		if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") {
 			$lastscript = $_REQUEST['script'];
+
+			if (!file_exists(__DIR__."/".$lastscript)) {
+				$lastscript = "";
+			}
 		}
 		$lastqrystr = "";
 		if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
-			$lastqrystr = $_REQUEST['qrystr'];
+			$lastqrystr = strip_tags($_REQUEST['qrystr']);
 		}
 
 		eval("echo \"" . getTemplate('login') . "\";");
diff --git a/lib/init.php b/lib/init.php
index 61157c59..bee4fb3a 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -28,19 +28,25 @@ header('Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time()));
 // Prevent inline - JS to be executed (i.e. XSS) in browsers which support this,
 // Inline-JS is no longer allowed and used
 // See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
-header("X-Content-Security-Policy: allow 'self'; frame-ancestors 'none'");
+// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
+$csp_content = "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; reflected-xss block;";
+header("Content-Security-Policy: ".$csp_content);
+header("X-Content-Security-Policy: ".$csp_content);
+header("X-WebKit-CSP: ".$csp_content);
+
+header("X-XSS-Protection: 1; mode=block");
 
 // Don't allow to load Froxlor in an iframe to prevent i.e. clickjacking
-header('X-Frame-Options: DENY');
+header("X-Frame-Options: DENY");
 
 // If Froxlor was called via HTTPS -> enforce it for the next time
 if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
-	header('Strict-Transport-Security: max-age=500');
+	header("Strict-Transport-Security: max-age=500");
 }
 
 // Internet Explorer shall not guess the Content-Type, see:
 // http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-header('X-Content-Type-Options: nosniff' );
+header("X-Content-Type-Options: nosniff");
 
 // ensure that default timezone is set
 if (function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get")) {