Fix missing default headers

config/application.rb

@@ -38,7 +38,9 @@ module Mastodon
     end
 
     config.action_dispatch.default_headers = {
-      'X-Frame-Options' => 'DENY'
+      'X-Frame-Options' => 'DENY',
+      'X-Content-Type-Options' => 'nosniff',
+      'X-XSS-Protection' => '1; mode=block'
     }
   end
 end