diff --git a/benefits/settings.py b/benefits/settings.py
index daa49734c9..97eedf9bbf 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -113,6 +113,7 @@ def _filter_empty(ls):
     SESSION_COOKIE_SECURE = True
 
 SECURE_BROWSER_XSS_FILTER = True
+SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin-allow-popups"
 
 # the NGINX reverse proxy sits in front of the application in deployed environments
 # SSL terminates before getting to Django, and NGINX adds this header to indicate