diff --git a/core/settings/base.py b/core/settings/base.py
index 655b7e30f..4a8ed7338 100644
--- a/core/settings/base.py
+++ b/core/settings/base.py
@@ -75,6 +75,11 @@
     # ABS_PATH('core', 'base_static'),
 )
 
+# Allow OSM tile servers to receive a Referer header (required by OSM tile policy).
+# Django's SecurityMiddleware defaults to "same-origin", which strips the Referer
+# on cross-origin requests, causing OSM tiles to return 403 "Access blocked".
+SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
 
 # default middleware classes
 MIDDLEWARE = [
diff --git a/core/settings/contrib.py b/core/settings/contrib.py
index 1bf789911..e81e8891c 100644
--- a/core/settings/contrib.py
+++ b/core/settings/contrib.py
@@ -27,7 +27,6 @@
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "rest_framework.authentication.TokenAuthentication",
         "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
-        "rest_framework.authentication.SessionAuthentication",
     ),
     "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
     "DEFAULT_RENDERER_CLASSES": (
diff --git a/ui/app/components/aoi/ExportAOI.js b/ui/app/components/aoi/ExportAOI.js
index db4878b13..ca9338895 100644
--- a/ui/app/components/aoi/ExportAOI.js
+++ b/ui/app/components/aoi/ExportAOI.js
@@ -277,6 +277,7 @@ export class ExportAOI extends Component {
               }),
               OSM.ATTRIBUTION
             ],
+            crossOrigin: null,
             url:
               "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
           })