diff --git a/actionpack/lib/action_dispatch/http/response.rb b/actionpack/lib/action_dispatch/http/response.rb
index d336808e7cdd027eefd75cf2570d7cab428780f1..5014ad80aade9ce1a7661d540e3c0df12c507203 100644
--- a/actionpack/lib/action_dispatch/http/response.rb
+++ b/actionpack/lib/action_dispatch/http/response.rb
@@ -58,6 +58,7 @@ class Response
     LOCATION     = "Location".freeze
 
     cattr_accessor(:default_charset) { "utf-8" }
+    cattr_accessor(:default_headers)
 
     include Rack::Response::Helpers
     include ActionDispatch::Http::Cache::Response
@@ -96,6 +97,10 @@ def closed?
     def initialize(status = 200, header = {}, body = [])
       super()
 
+      if self.class.default_headers.respond_to?(:merge)
+        header = self.class.default_headers.merge(header)
+      end
+
       self.body, self.header, self.status = body, header, status
 
       @sending_file = false
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 62f906219cf1e1bc92eb31de70d704d170efbd62..e7f3f07390e551c879bf1b9b240f60f5a676a38e 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -23,6 +23,7 @@ class Railtie < Rails::Railtie
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
       ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
       ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding
+      ActionDispatch::Response.default_headers = app.config.action_dispatch.default_headers
 
       ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)
       ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)
diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb
index 1ee90e88f2d8eb4a88b3c6b3df9a970f5703a6f6..f20dd78031ee8991906327668a52df1f731bae98 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/application.rb
+++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -41,6 +41,11 @@ class Application < Rails::Application
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
 
+    config.action_dispatch.default_headers = {
+        'X-Frame-Options' => 'SAMEORIGIN',
+        'X-XSS-Protection' => '1; mode=block'
+    }
+
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types.