diff --git a/.htaccess b/.htaccess
index 7ccb6a2f629d04aad6cead1c22bf81156bb0a04a..151239c1195760442c7b4d888e74f3205b374193 100644
--- a/.htaccess
+++ b/.htaccess
@@ -141,3 +141,9 @@ DirectoryIndex index.php index.html index.htm
     </FilesMatch>
   </IfModule>
 </IfModule>
+
+# Add headers to all responses.
+<IfModule mod_headers.c>
+  # Disable content sniffing, since it's an attack vector.
+  Header always set X-Content-Type-Options nosniff
+</IfModule>
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 23b66697d645829b6edb49d51d2c009f3b567c2d..069595046350597b333717e8a7cbcc168fb401f9 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,8 @@
 
 Drupal 7.40, xxxx-xx-xx (development version)
 -----------------------
+- Set the X-Content-Type-Options header to "nosniff" when possible, to prevent
+  certain web browsers from picking an unsafe MIME type.
 - Prevented the database API from executing multiple queries at once on MySQL,
   if the site's PHP version is new enough to do so. This is a secondary defense
   against SQL injection attacks.
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index efddf006a9b3b09ec340340de2f0893ee58dae15..b2f2b042e0237a4ca30b8f2824ae2ec1256022c0 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1262,6 +1262,10 @@ function drupal_page_header() {
   $default_headers = array(
     'Expires' => 'Sun, 19 Nov 1978 05:00:00 GMT',
     'Cache-Control' => 'no-cache, must-revalidate, post-check=0, pre-check=0',
+    // Prevent browsers from sniffing a response and picking a MIME type
+    // different from the declared content-type, since that can lead to
+    // XSS and other vulnerabilities.
+    'X-Content-Type-Options' => 'nosniff',
   );
   drupal_send_headers($default_headers);
 }