Update `action_dispatch.default_headers` default value [ci skip]

This was changed with 5d7b70f and 428939b.

2 files changed, 8 insertions, 2 deletions

diff --git a/guides/source/configuring.md b/guides/source/configuring.md
index 36c2fdb0b8..a0bf6046da 100644
--- a/guides/source/configuring.md
+++ b/guides/source/configuring.md
@@ -462,7 +462,10 @@ The schema dumper adds one additional configuration option:
     config.action_dispatch.default_headers = {
       'X-Frame-Options' => 'SAMEORIGIN',
       'X-XSS-Protection' => '1; mode=block',
-      'X-Content-Type-Options' => 'nosniff'
+      'X-Content-Type-Options' => 'nosniff',
+      'X-Download-Options' => 'noopen',
+      'X-Permitted-Cross-Domain-Policies' => 'none',
+      'Referrer-Policy' => 'strict-origin-when-cross-origin'
     }
     ```
 
diff --git a/guides/source/security.md b/guides/source/security.md
index ab5a5a7a31..de0b523057 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1070,7 +1070,10 @@ Every HTTP response from your Rails application receives the following default s
 config.action_dispatch.default_headers = {
   'X-Frame-Options' => 'SAMEORIGIN',
   'X-XSS-Protection' => '1; mode=block',
-  'X-Content-Type-Options' => 'nosniff'
+  'X-Content-Type-Options' => 'nosniff',
+  'X-Download-Options' => 'noopen',
+  'X-Permitted-Cross-Domain-Policies' => 'none',
+  'Referrer-Policy' => 'strict-origin-when-cross-origin'
 }
 ```