diff --git a/common/routes_common.go b/common/routes_common.go
index 8af46e29..1608a1ab 100644
--- a/common/routes_common.go
+++ b/common/routes_common.go
@@ -292,12 +292,6 @@ func preRoute(w http.ResponseWriter, r *http.Request) (User, bool) {
 		usercpy.LastIP = host
 	}
 
-	h := w.Header()
-	h.Set("X-Frame-Options", "deny")
-	h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing
-	// TODO: Set the content policy header
-	h.Set("X-Content-Type-Options", "nosniff")
-
 	return *usercpy, true
 }
 
diff --git a/gen_router.go b/gen_router.go
index a4efdab5..493da1de 100644
--- a/gen_router.go
+++ b/gen_router.go
@@ -668,6 +668,12 @@ func (router *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	h := w.Header()
+	h.Set("X-Frame-Options", "deny")
+	h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing
+	// TODO: Set the content policy header
+	h.Set("X-Content-Type-Options", "nosniff")
+
 	// TODO: Cover more suspicious strings and at a lower layer than this
 	for _, char := range req.URL.Path {
 		if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) {
diff --git a/router_gen/main.go b/router_gen/main.go
index a5e7243b..880446e8 100644
--- a/router_gen/main.go
+++ b/router_gen/main.go
@@ -445,6 +445,12 @@ func (router *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	h := w.Header()
+	h.Set("X-Frame-Options", "deny")
+	h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing
+	// TODO: Set the content policy header
+	h.Set("X-Content-Type-Options", "nosniff")
+
 	// TODO: Cover more suspicious strings and at a lower layer than this
 	for _, char := range req.URL.Path {
 		if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) {