diff --git a/.htaccess b/.htaccess
index 50c06d4e3aef9e34593db32b0d6d73b65d71b4ab..60d71d7a1700a7bbe55b5218026c27d82aab6b1a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -285,10 +285,3 @@
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
-
-############################################
-## Add custom headers
-<IfModule mod_headers.c>
- Header set X-Content-Type-Options "nosniff"
- Header set X-XSS-Protection "1; mode=block"
-</IfModule>
diff --git a/app/etc/di.xml b/app/etc/di.xml
index d3d67b9bb3552d055ce8a546caa3f0a35b1a0f7f..c0726df71485c14b34877605f92db19ca28cc0c1 100755
--- a/app/etc/di.xml
+++ b/app/etc/di.xml
@@ -1076,6 +1076,8 @@
<arguments>
<argument name="headerProviderList" xsi:type="array">
<item name="x-frame-options" xsi:type="object">Magento\Framework\App\Response\Header\XFrameOptions</item>
+ <item name="x-content-type-options" xsi:type="object">Magento\Framework\App\Response\Header\XContentTypeOptions</item>
+ <item name="x-xss-protection" xsi:type="object">Magento\Framework\App\Response\Header\XssProtection</item>
</argument>
</arguments>
</type>
diff --git a/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
new file mode 100644
index 0000000000000000000000000000000000000000..6776b81af66d4b56f063fc892b7394b7efce4734
--- /dev/null
+++ b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
@@ -0,0 +1,14 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\Response\Header\AbstractHeader;
+
+class XContentTypeOptions extends AbstractHeader
+{
+ protected $value = 'nosniff';
+ protected $name = 'X-Content-Type-Options';
+}
diff --git a/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
new file mode 100644
index 0000000000000000000000000000000000000000..06817457aac93c594e42a1143a12ad413d82b9cf
--- /dev/null
+++ b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\Response\HeaderProviderInterface;
+use Magento\Framework\HTTP\Header;
+
+class XssProtection implements HeaderProviderInterface
+{
+ /**
+ * Header name
+ */
+ const NAME = 'X-XSS-Protection';
+
+ /**
+ * Matches IE 8 browsers
+ */
+ const IE_8_USER_AGENT = 'MSIE 8';
+
+ /**
+ * @var Header
+ */
+ private $headerService;
+
+ /**
+ * @param Header $headerService
+ */
+ public function __construct(Header $headerService)
+ {
+ $this->headerService = $headerService;
+ }
+
+ /**
+ * Whether the header should be attached to the response
+ *
+ * @return bool
+ */
+ public function canApply()
+ {
+ return true;
+ }
+
+ /**
+ * Header name
+ *
+ * @return string
+ */
+ public function getName()
+ {
+ return self::NAME;
+ }
+
+ /**
+ * Header value. Must be disabled for IE 8.
+ *
+ * @return string
+ */
+ public function getValue()
+ {
+ return strpos($this->headerService->getHttpUserAgent(), self::IE_8_USER_AGENT) === false
+ ? '1; mode=block'
+ : '0';
+ }
+}