diff --git a/Gemfile b/Gemfile
index 0443d2b3269..8d05d9dedb1 100644
--- a/Gemfile
+++ b/Gemfile
@@ -49,7 +49,7 @@ gem 'saml_idp', git: 'https://github.com/18F/saml_idp.git', tag: 'v0.7.0-18f'
 gem 'sass-rails', '~> 5.0'
 gem 'savon'
 gem 'scrypt'
-gem 'secure_headers', '~> 3.0'
+gem 'secure_headers', '~> 6.0'
 gem 'sidekiq'
 gem 'simple_form'
 gem 'sinatra', require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index 7d228f03869..05391674335 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -543,8 +543,7 @@ GEM
       wasabi (~> 3.4)
     scrypt (3.0.5)
       ffi-compiler (>= 1.0, < 2.0)
-    secure_headers (3.7.3)
-      useragent
+    secure_headers (6.0.0)
     selenium-webdriver (3.11.0)
       childprocess (~> 0.5)
       rubyzip (~> 1.2)
@@ -626,7 +625,6 @@ GEM
     unicode-display_width (1.3.0)
     uniform_notifier (1.11.0)
     user_agent_parser (2.4.1)
-    useragent (0.16.8)
     uuid (2.3.9)
       macaddr (~> 1.0)
     valid_email (0.1.0)
@@ -754,7 +752,7 @@ DEPENDENCIES
   sass-rails (~> 5.0)
   savon
   scrypt
-  secure_headers (~> 3.0)
+  secure_headers (~> 6.0)
   shoulda-matchers (~> 3.0)
   sidekiq
   simple_form
diff --git a/app/decorators/service_provider_session_decorator.rb b/app/decorators/service_provider_session_decorator.rb
index 8ca638d4acf..366a5353906 100644
--- a/app/decorators/service_provider_session_decorator.rb
+++ b/app/decorators/service_provider_session_decorator.rb
@@ -1,7 +1,4 @@
 class ServiceProviderSessionDecorator
-  include Rails.application.routes.url_helpers
-  include LocaleHelper
-
   DEFAULT_LOGO = 'generic.svg'.freeze
 
   SP_ALERTS = {
@@ -97,7 +94,7 @@ def sp_return_url
   end
 
   def cancel_link_url
-    sign_up_start_url(request_id: sp_session[:request_id], locale: locale_url_param)
+    view_context.sign_up_start_url(request_id: sp_session[:request_id])
   end
 
   def sp_alert?
diff --git a/app/decorators/session_decorator.rb b/app/decorators/session_decorator.rb
index c161d8ddf41..95e1dece91b 100644
--- a/app/decorators/session_decorator.rb
+++ b/app/decorators/session_decorator.rb
@@ -1,6 +1,7 @@
 class SessionDecorator
-  include Rails.application.routes.url_helpers
-  include LocaleHelper
+  def initialize(view_context: nil)
+    @view_context = view_context
+  end
 
   def return_to_service_provider_partial
     'shared/null'
@@ -31,7 +32,7 @@ def idv_hardfail4_partial
   end
 
   def cancel_link_url
-    root_url(locale: locale_url_param)
+    view_context.root_url
   end
 
   def sp_name; end
@@ -51,4 +52,8 @@ def sp_alert?; end
   def sp_alert_name; end
 
   def sp_alert_learn_more; end
+
+  private
+
+  attr_reader :view_context
 end
diff --git a/app/services/decorated_session.rb b/app/services/decorated_session.rb
index 5a51d68fee7..4d69b7295e5 100644
--- a/app/services/decorated_session.rb
+++ b/app/services/decorated_session.rb
@@ -15,7 +15,7 @@ def call
         service_provider_request: service_provider_request
       )
     else
-      SessionDecorator.new
+      SessionDecorator.new(view_context: view_context)
     end
   end
 
diff --git a/spec/decorators/service_provider_session_decorator_spec.rb b/spec/decorators/service_provider_session_decorator_spec.rb
index 083c52d1f81..8fcb26f208e 100644
--- a/spec/decorators/service_provider_session_decorator_spec.rb
+++ b/spec/decorators/service_provider_session_decorator_spec.rb
@@ -136,18 +136,14 @@
       )
     end
 
-    it 'returns sign_up_start_url with the request_id as a param' do
-      expect(decorator.cancel_link_url).
-        to eq 'http://www.example.com/sign_up/start?request_id=foo'
+    before do
+      allow(view_context).to receive(:sign_up_start_url).
+        and_return('https://www.example.com/sign_up/start')
     end
 
-    context 'in another language' do
-      before { I18n.locale = :fr }
-
-      it 'keeps the language' do
-        expect(decorator.cancel_link_url).
-          to eq 'http://www.example.com/fr/sign_up/start?request_id=foo'
-      end
+    it 'returns view_context.sign_up_start_url' do
+      expect(decorator.cancel_link_url).
+        to eq 'https://www.example.com/sign_up/start'
     end
   end
 end
diff --git a/spec/decorators/session_decorator_spec.rb b/spec/decorators/session_decorator_spec.rb
index c032abe3c71..34d145ca63f 100644
--- a/spec/decorators/session_decorator_spec.rb
+++ b/spec/decorators/session_decorator_spec.rb
@@ -62,8 +62,12 @@
   end
 
   describe '#cancel_link_url' do
-    it 'returns root url' do
-      expect(subject.cancel_link_url).to eq 'http://www.example.com/'
+    it 'returns view_context.root url' do
+      view_context = ActionController::Base.new.view_context
+      allow(view_context).to receive(:root_url).and_return('http://www.example.com')
+      decorator = SessionDecorator.new(view_context: view_context)
+
+      expect(decorator.cancel_link_url).to eq 'http://www.example.com'
     end
   end
 end
diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb
index a2495ab7652..68067da0816 100644
--- a/spec/features/users/sign_up_spec.rb
+++ b/spec/features/users/sign_up_spec.rb
@@ -82,7 +82,7 @@
         click_on t('links.cancel')
         click_on t('sign_up.buttons.cancel')
 
-        expect(page).to have_current_path(sign_up_start_path)
+        expect(page).to have_current_path(sign_up_start_path(request_id: '123'))
         expect { User.find(user.id) }.to raise_error ActiveRecord::RecordNotFound
       end
     end
diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb
index f492c2678d0..7a5b1ce9c18 100644
--- a/spec/support/features/session_helper.rb
+++ b/spec/support/features/session_helper.rb
@@ -50,7 +50,7 @@ def begin_sign_up_with_sp_and_loa(loa3:)
       Warden.on_next_request do |proxy|
         session = proxy.env['rack.session']
         sp = ServiceProvider.from_issuer('http://localhost:3000')
-        session[:sp] = { loa3: loa3, issuer: sp.issuer }
+        session[:sp] = { loa3: loa3, issuer: sp.issuer, request_id: '123' }
       end
 
       visit account_path
diff --git a/spec/views/devise/passwords/new.html.slim_spec.rb b/spec/views/devise/passwords/new.html.slim_spec.rb
index a2ed8630266..cc3521e89b0 100644
--- a/spec/views/devise/passwords/new.html.slim_spec.rb
+++ b/spec/views/devise/passwords/new.html.slim_spec.rb
@@ -9,6 +9,9 @@
       return_to_sp_url: 'www.awesomeness.com'
     )
     view_context = ActionController::Base.new.view_context
+    allow(view_context).to receive(:sign_up_start_url).
+      and_return('https://www.example.com/sign_up/start')
+
     @decorated_session = DecoratedSession.new(
       sp: @sp,
       view_context: view_context,
diff --git a/spec/views/sign_up/registrations/new.html.slim_spec.rb b/spec/views/sign_up/registrations/new.html.slim_spec.rb
index e4fbf730107..54ed039d27a 100644
--- a/spec/views/sign_up/registrations/new.html.slim_spec.rb
+++ b/spec/views/sign_up/registrations/new.html.slim_spec.rb
@@ -12,6 +12,7 @@
       sp: nil, view_context: view_context, sp_session: {}, service_provider_request: nil
     ).call
     allow(view).to receive(:decorated_session).and_return(@decorated_session)
+    allow(view_context).to receive(:root_url).and_return('http://www.example.com')
   end
 
   it 'has a localized title' do