diff --git a/core/src/main/java/google/registry/flows/EppXmlSanitizer.java b/core/src/main/java/google/registry/flows/EppXmlSanitizer.java
index af5ba6147..0d379e5d0 100644
--- a/core/src/main/java/google/registry/flows/EppXmlSanitizer.java
+++ b/core/src/main/java/google/registry/flows/EppXmlSanitizer.java
@@ -165,6 +165,9 @@ public class EppXmlSanitizer {
     xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
     // Preserve Name Space information.
     xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+    // Prevent XXE attacks.
+    xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     return xmlInputFactory;
   }
 }
diff --git a/core/src/main/java/google/registry/tmch/TmchXmlSignature.java b/core/src/main/java/google/registry/tmch/TmchXmlSignature.java
index 6094178be..a1f772db5 100644
--- a/core/src/main/java/google/registry/tmch/TmchXmlSignature.java
+++ b/core/src/main/java/google/registry/tmch/TmchXmlSignature.java
@@ -111,6 +111,10 @@ public class TmchXmlSignature {
     dbf.setSchema(SCHEMA);
     dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", false);
     dbf.setNamespaceAware(true);
+    // Disable DTDs
+    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    dbf.setXIncludeAware(false); // disable XML Inclusions
+    dbf.setExpandEntityReferences(false); // disable expand entity reference nodes
     return dbf.newDocumentBuilder().parse(input);
   }
 
diff --git a/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java b/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java
index 346d24910..a1d884c59 100644
--- a/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java
+++ b/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java
@@ -153,6 +153,14 @@ public class EppMessage {
     xpath = XPathFactory.newInstance().newXPath();
     xpath.setNamespaceContext(new EppNamespaceContext());
     docBuilderFactory.setNamespaceAware(true);
+    try {
+      // Disable DTDs
+      docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    } catch (ParserConfigurationException e) {
+      throw new RuntimeException("Error configuring DocumentBuilderFactory", e);
+    }
+    docBuilderFactory.setXIncludeAware(false); // disable XML Inclusions
+    docBuilderFactory.setExpandEntityReferences(false); // disable expand entity reference nodes
 
     String path = "./xsd/";
     StreamSource[] sources;