diff --git a/rack-protection/lib/rack/protection/xss_header.rb b/rack-protection/lib/rack/protection/xss_header.rb
index 17eeee04..5342e95c 100644
--- a/rack-protection/lib/rack/protection/xss_header.rb
+++ b/rack-protection/lib/rack/protection/xss_header.rb
@@ -12,10 +12,15 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block
+      default_options :xss_mode => :block, :nosniff => true
 
       def header
-        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
+        headers = {
+          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
+          'X-Content-Type-Options' => "nosniff"
+        }
+        headers.delete("X-Content-Type-Options") unless options[:nosniff]
+        headers
       end
 
       def call(env)
diff --git a/rack-protection/spec/xss_header_spec.rb b/rack-protection/spec/xss_header_spec.rb
index 57914cb5..ceb95942 100644
--- a/rack-protection/spec/xss_header_spec.rb
+++ b/rack-protection/spec/xss_header_spec.rb
@@ -21,4 +21,22 @@ describe Rack::Protection::XSSHeader do
     mock_app with_headers("X-XSS-Protection" => "0")
     get('/').headers["X-XSS-Protection"].should == "0"
   end
+
+  it 'should set the X-Content-Type-Options' do
+    get('/').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    get('/').headers["X-Content-Type-Options"].should be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    get('/').headers["X-Content-Type-Options"].should == "sniff"
+  end
 end