diff --git a/Gemfile b/Gemfile
index 4d13fd7ab42..fd2b2243020 100644
--- a/Gemfile
+++ b/Gemfile
@@ -116,6 +116,7 @@ gem 'therubyracer', require: 'v8'
 gem 'thin', require: false
 gem 'diffy', '>= 3.0', require: false
 gem 'highline', require: false
+gem 'rack-protection' # security
 
 # Gem that enables support for plugins. It is required.
 gem 'discourse_plugin', path: 'vendor/gems/discourse_plugin'
diff --git a/Gemfile.lock b/Gemfile.lock
index 704de69c964..abb543b815c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -522,6 +522,7 @@ DEPENDENCIES
   qunit-rails
   rack-cors
   rack-mini-profiler!
+  rack-protection
   rails (= 3.2.12)
   rails_multisite!
   rake