I was reading an article on Google+ I found through Hackernews:
I was wondering if these headers should be turned on by default in Rails?
As far as I know, some of them can be sent by default, while others can only be sent when force_ssl is on.
I think adding the X Headers by default would be fine. I don't think we should muck with the cookie one though.
