diff --git a/package.json b/package.json
index e75a2f2a1d..0357e33ed0 100644
--- a/package.json
+++ b/package.json
@@ -53,6 +53,7 @@
     "gulp-minify-css": "~0.5.1",
     "helmet": "~0.9.0",
     "helmet-csp": "^0.2.3",
+    "hpp": "^0.2.0",
     "jade": "~1.8.0",
     "less": "~1.7.5",
     "less-middleware": "~2.0.1",
diff --git a/server/server.js b/server/server.js
index 4ed7607a0f..a1d0ce08d1 100755
--- a/server/server.js
+++ b/server/server.js
@@ -27,6 +27,7 @@ var R = require('ramda'),
     expressValidator = require('express-validator'),
     forceDomain = require('forcedomain'),
     lessMiddleware = require('less-middleware'),
+    hpp = require('hpp'),
 
     passportProviders = require('./passport-providers'),
     /**
@@ -59,6 +60,7 @@ app.use(lessMiddleware(path.join(__dirname, '/public')));
 app.use(logger('dev'));
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: true }));
+app.use(hpp());
 app.use(expressValidator({
   customValidators: {
     matchRegex: function (param, regex) {