diff --git a/rack-protection/lib/rack/protection/base.rb b/rack-protection/lib/rack/protection/base.rb
index c914da23..83e72406 100644
--- a/rack-protection/lib/rack/protection/base.rb
+++ b/rack-protection/lib/rack/protection/base.rb
@@ -13,7 +13,7 @@ module Rack
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
         :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml]
+        :html_types           => %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
diff --git a/rack-protection/spec/lib/rack/protection/protection_spec.rb b/rack-protection/spec/lib/rack/protection/protection_spec.rb
index a9afda22..815fab8e 100644
--- a/rack-protection/spec/lib/rack/protection/protection_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/protection_spec.rb
@@ -69,6 +69,16 @@ describe Rack::Protection do
       it { is_expected.to be_truthy }
     end
 
+    context "given an appropriate content-type header of text/xml" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/xml" }
+      it { is_expected.to be_truthy }
+    end
+
+    context "given an appropriate content-type header of application/xml" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "application/xml" }
+      it { is_expected.to be_truthy }
+    end
+
     context "given an inappropriate content-type header" do
       subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
       it { is_expected.to be_falsey }