diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -144,6 +144,9 @@
       $csp[] = "frame-ancestors 'none'";
     }
 
+    // Block relics of the old world: Flash, Java applets, and so on.
+    $csp[] = "object-src 'none'";
+
     $csp = implode('; ', $csp);
 
     return $csp;