diff --git a/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml b/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml
index a56813a..899350e 100644
--- a/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml
+++ b/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml
@@ -10,6 +10,7 @@
 	</Response>
 	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
 	<property name="script" value="file:///var/opt/nevisauth/default/conf/OpOnbrdng-PreProcessing.groovy"/>
+    <property name="parameter.cookie.domain" value=".${var.admin-language-cookie-domain}"/>
 </AuthState>
 <AuthState name="${state.entry}_VerifyURLTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="false">
 	<ResultCond name="ok" next="${state.entry}_IdmPostProcessing" authLevel="auth.weak"/>
diff --git a/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy b/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy
index 1dbe99f..1117956 100644
--- a/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy
+++ b/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy
@@ -55,6 +55,12 @@ if (inargs['cd'] != null) {
 // 2b) clean the url, if necessary
 if (request.currentResource.replaceAll('^https:\\/\\/[^\\/]+\\/AUTH\\/ONBOARDING\\/', '').length() > 0) {
 
+  if (inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language change, set the language cookie
+    def langCookie = "LANG=${inargs['language']}; Domain=${parameters.get('cookie.domain')}; Path=/"
+    response.setHeader('Set-Cookie', langCookie)
+  }
+
   response.setStatus(AuthResponse.AUTH_CONTINUE)
   response.setTransferDestination('/AUTH/ONBOARDING/')
   response.setIsRedirectTransfer(true)
diff --git a/patterns/29a7ba8eaff67eb26d2394bc_script/setCspHeaders.lua b/patterns/29a7ba8eaff67eb26d2394bc_script/setCspHeaders.lua
new file mode 100644
index 0000000..0a061d5
--- /dev/null
+++ b/patterns/29a7ba8eaff67eb26d2394bc_script/setCspHeaders.lua
@@ -0,0 +1,18 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    cspHeader = response:getHeader("content-security-policy")
+    if (cspHeader ~= nil) then 
+        trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
+    else
+        trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
+        response:setHeader("content-security-policy", param_csp)
+    end
+
+    if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
+        trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
+        response:setHeader("content-security-policy-report-only", param_report_only_csp)
+    else
+        trace:debug("AGOV CSP: No report only CSP-header set")
+    end
+end
diff --git a/patterns/Base_Security_Response_Headers_36886a1934993d1f69690e1d.yml b/patterns/Base_Security_Response_Headers_36886a1934993d1f69690e1d.yml
new file mode 100644
index 0000000..4ab3f32
--- /dev/null
+++ b/patterns/Base_Security_Response_Headers_36886a1934993d1f69690e1d.yml
@@ -0,0 +1,18 @@
+schemaVersion: "1.0"
+pattern:
+  id: "36886a1934993d1f69690e1d"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+  name: "Base Security Response Headers"
+  label: "PROXY"
+  notes: "The security response headers, which are environment independent and/or\
+    \ static"
+  properties:
+    responseHeaders:
+    - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+    - X-Content-Type-Options: "nosniff"
+    - Referrer-Policy: "strict-origin-when-cross-origin"
+    - X-Frame-Options: "DENY"
+    - Cross-Origin-Opener-Policy: "same-origin"
+    - Cross-Origin-Embedder-Policy: "require-corp"
+    - Cross-Origin-Resource-Policy: "same-site"
+    - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
diff --git a/patterns/CSP_Security_Response_Headers_29a7ba8eaff67eb26d2394bc.yml b/patterns/CSP_Security_Response_Headers_29a7ba8eaff67eb26d2394bc.yml
new file mode 100644
index 0000000..447e55a
--- /dev/null
+++ b/patterns/CSP_Security_Response_Headers_29a7ba8eaff67eb26d2394bc.yml
@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "29a7ba8eaff67eb26d2394bc"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "CSP Security Response Headers"
+  properties:
+    script: "res://29a7ba8eaff67eb26d2394bc#script"
+    phase: "BEFORE_SANITATION"
+    parameters: "var://csp-security-response-headers"
diff --git a/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml b/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml
index 8060dca..63a9967 100644
--- a/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml
+++ b/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml
@@ -16,6 +16,7 @@ pattern:
     labels: "res://6df66943ca713eed2a25d935#labels"
     labelsMode: "combined"
     defaultLabels: "enabled"
+    defaultProperties: "var://nevislogrend-configuration-logrendproperties"
     sessionTracking: "COOKIE"
     cookieName: "OP-ONBRDNG"
     cookieSameSite: "Lax"
diff --git a/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml b/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
deleted file mode 100644
index bda5066..0000000
--- a/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-schemaVersion: "1.0"
-pattern:
-  id: "9c6ad44795320a7adec1ccde"
-  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
-  name: "Security Response Headers"
-  properties:
-    responseHeaders: "var://security-response-headers-response-headers"
diff --git a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
index 15f7032..ca3e20a 100644
--- a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
+++ b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
@@ -14,4 +14,5 @@ pattern:
     addons:
     - "pattern://58ece0328f5bf4d78e1a82d2"
     - "pattern://076ce5c5440843a23150b386"
-    - "pattern://9c6ad44795320a7adec1ccde"
+    - "pattern://29a7ba8eaff67eb26d2394bc"
+    - "pattern://36886a1934993d1f69690e1d"
diff --git a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
index 20d0bf4..1c9727c 100644
--- a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
+++ b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
@@ -16,4 +16,5 @@ pattern:
     - "pattern://58ece0328f5bf4d78e1a82d2"
     - "pattern://076ce5c5440843a23150b386"
     - "pattern://d9c194064d834ad41843ff4e"
-    - "pattern://9c6ad44795320a7adec1ccde"
+    - "pattern://36886a1934993d1f69690e1d"
+    - "pattern://29a7ba8eaff67eb26d2394bc"
diff --git a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
index 1e51026..6c5a014 100644
--- a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
+++ b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
@@ -5,7 +5,6 @@ pattern:
   name: "nevisIDM Custom Property verificationTransactionId"
   properties:
     propertyName: "verificationTransactionId"
-    uniquenessScope: "ABSOLUTE"
     clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
     maxLength: "50"
     accessModify: "READ_ONLY"
diff --git a/variables.yml b/variables.yml
index a196329..b81d72f 100644
--- a/variables.yml
+++ b/variables.yml
@@ -5,7 +5,7 @@ variables:
     parameters:
       minRequired: 0
       maxAllowed: 1
-    value: "contoso.org"
+    value: "agov.admin.ch"
     requireOverloading: true
   agov_admin_idm-db-management:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
@@ -57,6 +57,23 @@ variables:
       syntax: "YAML"
     value: "caFile.pem"
     requireOverloading: true
+  csp-security-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - "="
+      switchedSeparators: []
+    value:
+    - param_csp: "default-src 'none'; script-src 'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM='\
+        \ 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo='\
+        \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:;\
+        \ child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle;\
+        \ img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\
+        \ https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect\
+        \ https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect;\
+        \ font-src 'self';"
+    - param_report_only_csp: "none"
+    requireOverloading: true
   externalingresssettings-annotations:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
     parameters: