diff --git a/plugins/OAuth2/OAuth2.php b/plugins/OAuth2/OAuth2.php
index d472c04790..0f764eaad3 100644
--- a/plugins/OAuth2/OAuth2.php
+++ b/plugins/OAuth2/OAuth2.php
@@ -43,6 +43,7 @@ use Plugin\OAuth2\Controller\Apps;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent;
 use Trikoder\Bundle\OAuth2Bundle\Event\UserResolveEvent;
+use Trikoder\Bundle\OAuth2Bundle\Model\Grant;
 use Trikoder\Bundle\OAuth2Bundle\OAuth2Events;
 use XML_XRD_Element_Link;
 
@@ -106,6 +107,7 @@ class OAuth2 extends Plugin implements EventSubscriberInterface
             $user = Common::ensureLoggedIn();
             $event->setUser($user);
             $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
+            $event->getClient()->setGrants(new Grant('client_credentials'), new Grant('authorization_code'));
         } catch (NoLoggedInUser) {
             $event->setResponse(new Response(302, [
                 'Location' => Router::url('security_login', [
diff --git a/src/Core/Controller.php b/src/Core/Controller.php
index a56a42c1db..e311b564de 100644
--- a/src/Core/Controller.php
+++ b/src/Core/Controller.php
@@ -180,8 +180,15 @@ abstract class Controller extends AbstractController implements EventSubscriberI
         $event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
         $event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
         $event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
-        $event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN');
+        $event->getResponse()->headers->set('x-frame-options', 'DENY');
         $event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
+        $event->getResponse()->headers->set('x-content-type-options', 'nosniff');
+        $event->getResponse()->headers->set('x-download-options', 'noopen');
+        $event->getResponse()->headers->set('x-permitted-cross-domain-policies', 'none');
+        $event->getResponse()->headers->set('access-control-allow-credentials', true);
+        $event->getResponse()->headers->set('access-control-allow-origin', '*');
+        $event->getResponse()->headers->set('referrer-policy', 'same-origin');
+        $event->getResponse()->headers->set('access-control-expose-headers', 'Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key');
         $policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
         $event->getResponse()->headers->set('Content-Security-Policy', $policy);
         $event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
@@ -257,6 +264,7 @@ abstract class Controller extends AbstractController implements EventSubscriberI
             } else {
                 return null;
             }
+            // no break
         case 'params':
             return $this->request->query->all();
         default: