diff --git a/CHANGELOG b/CHANGELOG
index 01dbcc3..25f10c1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v 6.5.0
   - Add project visibility icons to dashboard
   - Enable secure cookies if https used
   - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled
 
 v6.4.3
   - Don't use unicorn worker killer if PhusionPassenger is defined
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0e714db..cf14cd9 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
     headers['X-Frame-Options'] = 'DENY'
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
   end
 
   def add_gon_variables
--
libgit2 0.21.2