diff --git a/benefits/settings.py b/benefits/settings.py
index daa49734c..71bde513c 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -114,6 +114,10 @@ def _filter_empty(ls):
 
 SECURE_BROWSER_XSS_FILTER = True
 
+# required so that cross-origin pop-ups (like the enrollment overlay) have access to parent window context
+# https://github.com/cal-itp/benefits/pull/793
+SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin-allow-popups"
+
 # the NGINX reverse proxy sits in front of the application in deployed environments
 # SSL terminates before getting to Django, and NGINX adds this header to indicate
 # if the original request was secure or not
diff --git a/requirements.txt b/requirements.txt
index b29061ce0..9ff1d6653 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 Authlib==1.0.1
-Django==3.2.14
+Django==4.0.6
 django-csp==3.7
 git+https://github.com/cal-itp/eligibility-api#egg=eligibility_api
 gunicorn==20.1.0