diff --git a/server/app.js b/server/app.js
index 7db61be20..8f7631e9c 100644
--- a/server/app.js
+++ b/server/app.js
@@ -168,7 +168,12 @@ app.use(mount("/auth", auth));
 app.use(mount("/api", api));
 
 // Sets common security headers by default, such as no-sniff, hsts, hide powered
-// by etc
+// by etc, these are applied after auth and api so they are only returned on
+// standard non-XHR accessed routes
+app.use(async (ctx, next) => {
+  ctx.set("Permissions-Policy", "interest-cohort=()");
+  await next();
+});
 app.use(helmet());
 app.use(
   contentSecurityPolicy({