diff --git a/.circleci/config.yml b/.circleci/config.yml
index dea585d4eb..c2d4c72a9f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -343,14 +343,13 @@ workflows:
             branches:
               only:
                 - develop
-                - fix/infected-submission
       # This is alternate dev env for parallel testing
       - "build-test":
           context : org-global      
           filters:
             branches:
               only:                
-                - ca-profile-bug-bash
+                - csp-headers
       # This is alternate dev env for parallel testing
       - "build-qa":
           context : org-global      
@@ -364,7 +363,7 @@ workflows:
           filters:
             branches:
               only:
-                - new-tc-logo
+                - csp-headers
       # This is stage env for production QA releases
       - "build-prod-staging":
           context : org-global         
@@ -372,8 +371,6 @@ workflows:
             branches:
               only:
                 - develop
-                - features/mm-dashboard
-                - fix/settings-save-fail
       # Production builds are exectuted 
       # when PR is merged to the master
       # Don't change anything in this configuration
diff --git a/src/server/index.js b/src/server/index.js
index 31f949ca61..0eee1228fd 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -131,6 +131,86 @@ async function onExpressJsSetup(server) {
     return next();
   };
 
+  server.use((req, res, next) => {
+    res.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+
+    if (req.url.startsWith('/__community__/veterans') || req.hostname === 'veterans.topcoder.com') {
+      res.header(
+        'Content-Security-Policy',
+        "default-src 'self';"
+        + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'"
+          + ` ${config.CDN.PUBLIC}`
+          + ' http://www.google-analytics.com'
+          + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com'
+          + ' https://assets.ubembed.com'
+          + ' https://assets.zendesk.com'
+          + ' https://browser.sentry-cdn.com'
+          + ' https://cdn.heapanalytics.com'
+          + ' https://cdn.segment.com'
+          + ' https://connect.facebook.net'
+          + ' https://d1of0acg2orgco.cloudfront.net'
+          + ' https://d1mwkvp2xbqfs9.cloudfront.net'
+          + ' https://d24oibycet9bsb.cloudfront.net'
+          + ' https://fast.trychameleon.com'
+          + ' https://static.zdassets.com'
+          + ' https://www.googletagmanager.com;'
+        + " style-src 'report-sample' 'self' 'unsafe-inline'"
+          + ` ${config.CDN.PUBLIC}`
+          + ' https://d1of0acg2orgco.cloudfront.net'
+          + ' https://d1mwkvp2xbqfs9.cloudfront.net'
+          + ' https://d24oibycet9bsb.cloudfront.net'
+          + ' https://d2nl5eqipnb33q.cloudfront.net;'
+        + " object-src 'none';"
+        + " base-uri 'self';"
+        + " connect-src 'self'"
+          + ` ${config.API.V2}/`
+          + ` ${config.API.V3}/`
+          + ` ${config.API.V4}/`
+          + ` ${config.API.V5}/`
+          + ` ${config.CDN.PUBLIC}`
+          + ` ${config.URL.COMMUNITY_APP}`
+          + ' https://api.segment.io'
+          + ' https://cdn.segment.com'
+          + ' https://ekr.zdassets.com'
+          + ' https://fast.trychameleon.com'
+          + ' https://topcoder.zendesk.com'
+          + ' https://stats.g.doubleclick.net'
+          + ' https://www.google-analytics.com;'
+        + " font-src 'self'"
+          + ' data:'
+          + ` ${config.CDN.PUBLIC}`
+          + ' https://d1of0acg2orgco.cloudfront.net'
+          + ' https://d24oibycet9bsb.cloudfront.net'
+          + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;'
+        + " frame-src 'self'"
+          + ` ${config.URL.AUTH}`
+          + ' https://www.youtube.com;'
+        + " img-src 'self'"
+          + ` ${config.CDN.PUBLIC}`
+          + ' https://cdn.segment.com'
+          + ' https://d1of0acg2orgco.cloudfront.net'
+          + ' https://d24oibycet9bsb.cloudfront.net'
+          + ' https://d2nl5eqipnb33q.cloudfront.net'
+          + ' https://images.ctfassets.net'
+          + ' https://heapanalytics.com'
+          + ' https://q.quora.com'
+          + ' https://topcoder-prod-media.s3.amazonaws.com'
+          + ' https://www.facebook.com'
+          + ' https://www.google-analytics.com'
+          + ' https://www.google.com'
+          + ' https://www.googletagmanager.com'
+          + ' https://i.ytimg.com;'
+        + " manifest-src 'self';"
+        + " media-src 'self';"
+        + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;'
+        + " worker-src 'self';",
+      );
+    }
+
+    next();
+  });
+
   /* Log Entries service proxy. */
   server.use('/community-app-assets/api/logger', checkAuthorizationHeader, (req, res) => {
     logger.log(`${req.clientIp} > `, ...req.body.data);
diff --git a/src/server/services/recruitCRM.js b/src/server/services/recruitCRM.js
index 3ae3841cb3..16edc366fe 100644
--- a/src/server/services/recruitCRM.js
+++ b/src/server/services/recruitCRM.js
@@ -209,6 +209,16 @@ export default class RecruitCRMService {
         return res.send(error);
       }
       const data = await response.json();
+
+      // If job or form not open return just job status
+      if ((data.job_status && data.job_status.id !== 1)
+        || data.enable_job_application_form !== 1) {
+        return res.send({
+          job_status: data.job_status,
+          enable_job_application_form: data.enable_job_application_form,
+        });
+      }
+
       return res.send(sanitizeJob(data));
     } catch (err) {
       return next(err);
@@ -261,10 +271,18 @@ export default class RecruitCRMService {
               const pageData = await pageDataRsp.json();
               data.data = _.flatten(data.data.concat(pageData.data));
             }
+
+            // Filter by Job Application active
+            data.data = _.filter(data.data, job => job.enable_job_application_form === 1);
+
             const toSend = _.map(data.data, j => sanitizeJob(j));
             return toSend;
           });
       }
+
+      // Filter by Job Application active
+      data.data = _.filter(data.data, job => job.enable_job_application_form === 1);
+
       const toSend = _.map(data.data, j => sanitizeJob(j));
       return toSend;
     } catch (err) {
@@ -322,6 +340,10 @@ export default class RecruitCRMService {
               const pageData = await pageDataRsp.json();
               data.data = _.flatten(data.data.concat(pageData.data));
             }
+
+            // Filter by Job Application active
+            data.data = _.filter(data.data, job => job.enable_job_application_form === 1);
+
             const toSend = _.map(data.data, j => sanitizeJob(j));
             gigsCache.set(CACHE_KEY, toSend);
             return res.send(toSend);
@@ -330,6 +352,10 @@ export default class RecruitCRMService {
             error: e,
           }));
       }
+
+      // Filter by Job Application active
+      data.data = _.filter(data.data, job => job.enable_job_application_form === 1);
+
       const toSend = _.map(data.data, j => sanitizeJob(j));
       gigsCache.set(CACHE_KEY, toSend);
       return res.send(toSend);
diff --git a/src/shared/reducers/recruitCRM.js b/src/shared/reducers/recruitCRM.js
index 888b46dfb5..4ed3a878e3 100644
--- a/src/shared/reducers/recruitCRM.js
+++ b/src/shared/reducers/recruitCRM.js
@@ -26,7 +26,7 @@ function onDone(state, { payload }) {
   return {
     ...state,
     loading: false,
-    jobs: _.filter(payload.data, job => job.enable_job_application_form === 1),
+    jobs: payload.data,
   };
 }