diff --git a/app.js b/app.js
index 5165966..77e8f53 100644
--- a/app.js
+++ b/app.js
@@ -1,5 +1,6 @@
 "use strict";
 var express = require('express');
+var helmet = require('helmet');
 var path = require('path');
 var favicon = require('serve-favicon');
 var logger = require('morgan');
@@ -18,6 +19,7 @@ app.set('view engine', 'ejs');
 
 // uncomment after placing your favicon in /public
 //app.use(favicon(__dirname + '/public/favicon.ico'));
+app.use(helmet());
 app.use(logger('dev'));
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
@@ -30,6 +32,15 @@ app.use(session({
 app.use(flash());
 app.use(express.static(path.join(__dirname, 'public')));
 
+// force SSL
+app.get('*', function(req,res,next) {
+  if (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] != 'https') {
+    res.redirect(req.headers['host'] + req.url);
+  } else {
+    next();
+  }
+});
+
 app.use('/', routes);
 
 // catch 404 and forward to error handler
diff --git a/package.json b/package.json
index a571a51..0d9252e 100644
--- a/package.json
+++ b/package.json
@@ -17,6 +17,7 @@
     "ejs": "~0.8.5",
     "express": "~4.9.0",
     "express-session": "^1.9.2",
+    "helmet": "^0.5.2",
     "morgan": "~1.3.0",
     "playmusic": "^1.1.0",
     "rdio": "^1.5.2",