diff --git a/requirements/common.txt b/requirements/common.txt
index f24de2743..4dc645189 100644
--- a/requirements/common.txt
+++ b/requirements/common.txt
@@ -39,9 +39,8 @@ Brotli==1.0.7 \
     --hash=sha256:113f51658e6fe548dce4b3749f6ef6c24de4184ba9c10a909cbee4261c2a5da0 \
     --hash=sha256:0538dc1744fd17c314d2adc409ea7d1b779783b89fd95bcfb0c2acc93a6ea5a7
 
-Django==2.2.9 \
-    --hash=sha256:687c37153486cf26c3fdcbdd177ef16de38dc3463f094b5f9c9955d91f277b14 \
-    --hash=sha256:662a1ff78792e3fd77f16f71b1f31149489434de4b62a74895bd5d6534e635a5
+Django==3.0.2 \
+    --hash=sha256:4f2c913303be4f874015993420bf0bd8fd2097a9c88e6b49c6a92f9bdd3fb13a
 
 celery==4.3.0 --hash=sha256:528e56767ae7e43a16cfef24ee1062491f5754368d38fcfffa861cdb9ef219be --hash=sha256:4c4532aa683f170f40bd76f928b70bc06ff171a959e06e71bf35f2f9d6031ef9
 
@@ -77,6 +76,9 @@ newrelic==5.2.1.129 \
 mysqlclient==1.4.4 \
     --hash=sha256:9c737cc55a5dc8dd3583a942d5a9b21be58d16f00f5fefca4e575e7d9682e98c
 
+asgiref==3.2.3 \
+    --hash=sha256:ea448f92fc35a0ef4b1508f53a04c4670255a3f33d22a81c8fc9c872036adbe5
+
 # Required by celery
 billiard==3.6.1.0 --hash=sha256:01afcb4e7c4fd6480940cfbd4d9edc19d7a7509d6ada533984d0d0f49901ec82 --hash=sha256:b8809c74f648dfe69b973c8e660bcec00603758c9db8ba89d7719f88d5f01f26
 pytz==2019.2 \
@@ -201,8 +203,8 @@ django-filter==2.2.0 \
     --hash=sha256:558c727bce3ffa89c4a7a0b13bc8976745d63e5fd576b3a9a851650ef11c401b \
     --hash=sha256:c3deb57f0dd7ff94d7dce52a047516822013e2b441bed472b722a317658cfd14
 
-django-redis==4.10.0 \
-    --hash=sha256:f46115577063d00a890867c6964ba096057f07cb756e78e0503b89cd18e4e083
+django-redis==4.11.0 \
+    --hash=sha256:e1aad4cc5bd743d8d0b13d5cae0cef5410eaace33e83bff5fc3a139ad8db50b4
 
 # Required by django-redis
 redis==3.3.11 \
@@ -268,10 +270,8 @@ yarl==1.3.0 \
 taskcluster-urls==11.0.0 \
     --hash=sha256:2aceab7cf5b1948bc197f2e5e50c371aa48181ccd490b8bada00f1e3baf0c5cc
 
-graphene-django==2.4.0 \
-    --hash=sha256:7720a459da5bc99fba251f697c4d41858612bf1a36096326af86739dd31705f3 \
-    --hash=sha256:f155cfbd9d201604c3f681ef6b824cc693263946cfdf9ba140880994285016d4 \
-    --hash=sha256:5714c5dd1200800ddc12d0782b0d82db70aedf387575e5b57ee2cdee4f25c681
+graphene-django==2.8.0 \
+    --hash=sha256:a290fc41a58ee61b43ff4b4885e866ef48bb8d66b0e7088fd8dc2bd677856e6a
 
 # Used by graphene-django
 graphene==2.1.8 \
diff --git a/treeherder/config/settings.py b/treeherder/config/settings.py
index a414ec5b2..c40bc2bad 100644
--- a/treeherder/config/settings.py
+++ b/treeherder/config/settings.py
@@ -45,6 +45,9 @@ APPEND_SLASH = False
 ROOT_URLCONF = "treeherder.config.urls"
 WSGI_APPLICATION = 'treeherder.config.wsgi.application'
 
+# Send full URL within origin but only origin for cross-origin requests
+SECURE_REFERRER_POLICY = "origin-when-cross-origin"
+
 # Application definition
 INSTALLED_APPS = [
     'django.contrib.auth',