3 files changed, 8 insertions, 4 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 95fc79b791..095957e1a2 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -51,8 +51,9 @@
 
     *Richard Schneeman*
 
-*   Add 'X-Frame-Options' => 'SAMEORIGIN' and
-    'X-XSS-Protection' => '1; mode=block'
+*   Add 'X-Frame-Options' => 'SAMEORIGIN'
+    'X-XSS-Protection' => '1; mode=block' and
+    'X-Content-Type-Options' => 'nosniff'
     as default headers.
 
     *Egor Homakov*
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 0dcf1fc4fe..5aad8dd23a 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -21,7 +21,8 @@ module ActionDispatch
 
     config.action_dispatch.default_headers = {
       'X-Frame-Options' => 'SAMEORIGIN',
-      'X-XSS-Protection' => '1; mode=block'
+      'X-XSS-Protection' => '1; mode=block',
+      'X-Content-Type-Options' => 'nosniff'
     }
 
     initializer "action_dispatch.configure" do |app|
diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
index 71609d7340..4d699bd739 100644
--- a/actionpack/test/dispatch/response_test.rb
+++ b/actionpack/test/dispatch/response_test.rb
@@ -177,9 +177,10 @@ class ResponseTest < ActiveSupport::TestCase
     end
   end
 
-  test "read x_frame_options and x_xss_protection" do
+  test "read x_frame_options, x_content_type_options and x_xss_protection" do
     ActionDispatch::Response.default_headers = {
       'X-Frame-Options' => 'DENY',
+      'X-Content-Type-Options' => 'nosniff',
       'X-XSS-Protection' => '1;'
     }
     resp = ActionDispatch::Response.new.tap { |response|
@@ -188,6 +189,7 @@ class ResponseTest < ActiveSupport::TestCase
     resp.to_a
 
     assert_equal('DENY', resp.headers['X-Frame-Options'])
+    assert_equal('nosniff', resp.headers['X-Content-Type-Options'])
     assert_equal('1;', resp.headers['X-XSS-Protection'])
   end