diff --git a/CHANGELOG.md b/CHANGELOG.md
index c769165666e47b6c6b98545d0c8d103713b492b1..5aa87fe50a97fe846d6cb5250cf2d1297be360f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 
 * Added support for structured logging (JSON).
+- Added `X-Content-Security-Policy: sandbox` in contexts where the normal CSP
+  header would be served. This is a limited, pre-standard form of CSP supported
+  by IE11, in order to have at least some mitigation of XSS attacks.
 
 ### Changed