diff --git a/CHANGELOG b/CHANGELOG
index 01dbcc3c6888b9b6f59a272a34fbbd673be373cd..25f10c15f5f544801b0f9e62c33405c6bc4389dc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v 6.5.0
   - Add project visibility icons to dashboard
   - Enable secure cookies if https used
   - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled
 
 v6.4.3
   - Don't use unicorn worker killer if PhusionPassenger is defined
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0e714dbfcdfa1e49e2fc3b9c773564c7838ed013..cf14cd9a1df9ea37b8463d1c76306c824c0d1a28 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -161,6 +161,8 @@ def default_headers
     headers['X-Frame-Options'] = 'DENY'
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
   end
 
   def add_gon_variables