diff --git a/app/assets/stylesheets/main.scss b/app/assets/stylesheets/main.scss
index cf5b7654..393de124 100644
--- a/app/assets/stylesheets/main.scss
+++ b/app/assets/stylesheets/main.scss
@@ -7,11 +7,15 @@ $govuk-images-path: "/";
 @import "govuk-frontend/dist/govuk/all";
 
 button.govuk-header__link {
-  background: none !important;
+  background: none;
   border: none;
-  padding: 0 !important;
-  color: #fff;
+  padding: 0;
+  color: $govuk-body-background-colour;
   cursor: pointer;
   font-size: 1rem;
   font-weight: bold;
 }
+
+button.govuk-header__link:focus {
+  background-color: $govuk-focus-colour;
+}
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3ac5ff4e..9b352ddc 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,4 +1,5 @@
 require "dfe/analytics/filtered_request_event"
+require "govuk_component/header_component"
 
 class ApplicationController < ActionController::Base
   include DfE::Analytics::Requests
diff --git a/app/views/layouts/base.html.erb b/app/views/layouts/base.html.erb
index 2b810897..e862635a 100644
--- a/app/views/layouts/base.html.erb
+++ b/app/views/layouts/base.html.erb
@@ -28,7 +28,11 @@
     <%= govuk_header(service_name: t("service.name")) do |header|
       if request.path != main_app.not_authorised_path
         if current_dsi_user
-          header.with_navigation_item(href: main_app.dsi_sign_out_path(id_token_hint: session[:id_token]), text: "Sign out")
+          header.with_navigation_item(
+            href: main_app.dsi_sign_out_post_path({ id_token_hint: session[:id_token] }),
+            post: true,
+            text: "Sign out"
+          )
         else
           header.with_navigation_item(href: main_app.sign_in_path, text: "Sign in")
         end
diff --git a/config/routes.rb b/config/routes.rb
index 40c06940..ac214db6 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -7,6 +7,7 @@
   get "/sign-in", to: "sign_in#new"
   get "/sign-out", to: "sign_out#new"
   get "/auth/dfe/sign-out", to: "sign_out#new", as: :dsi_sign_out
+  post "/auth/dfe/sign-out", to: "sign_out#new", as: :dsi_sign_out_post
 
   get "/auth/dfe/callback", to: "omniauth_callbacks#dfe"
   post "/auth/developer/callback", to: "omniauth_callbacks#dfe_bypass"
diff --git a/spec/system/user_signs_in_spec.rb b/spec/system/user_signs_in_spec.rb
index fb2aa8f2..ac8f592c 100644
--- a/spec/system/user_signs_in_spec.rb
+++ b/spec/system/user_signs_in_spec.rb
@@ -24,10 +24,11 @@
 
   def then_i_am_signed_in
     within("header") do
-      expect(page).to have_link("Sign out")
-      sign_out_link = find_link("Sign out")
-      # Expect the token from mocked auth to be in the sign out link
-      expect(sign_out_link[:href]).to include "id_token_hint=abc123"
+      expect(page).to have_button("Sign out")
+      sign_out_button = find_button("Sign out")
+      # Expect the token from mocked auth to be in the sign out form
+      token_hint_field = sign_out_button.sibling("input[name=id_token_hint]", visible: false)
+      expect(token_hint_field.value).to eq("abc123")
     end
     expect(DsiUser.count).to eq 1
     expect(DsiUserSession.count).to eq 1