diff --git a/.htaccess b/.htaccess
index 5e24a35743dec820a6b91a35bef410a5e34d3641..8c1cefb89c277cd47455f27fb283b33510fb629a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,11 +1,25 @@
 # Version: 8.1.0
-<IfModule mod_fcgid.c>
-<IfModule mod_setenvif.c>
 <IfModule mod_headers.c>
-SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
-RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
-</IfModule>
-</IfModule>
+  <IfModule mod_fcgid.c>
+    <IfModule mod_setenvif.c>
+       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
+       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
+    </IfModule>
+  </IfModule>
+
+  <IfModule mod_env.c>
+    # Add security and privacy related headers
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-XSS-Protection "1; mode=block"
+    Header set X-Robots-Tag "none"
+    Header set X-Frame-Options "SAMEORIGIN"
+    SetEnv modHeadersAvailable true
+  </IfModule>
+
+  # Add cache control for CSS and JS files
+  <FilesMatch "\.(css|js)$">
+    Header set Cache-Control "max-age=7200, public"
+  </FilesMatch>
 </IfModule>
 <IfModule mod_php5.c>
 php_value upload_max_filesize 513M
@@ -42,14 +56,5 @@ DirectoryIndex index.php index.html
 AddDefaultCharset utf-8
 Options -Indexes
 <IfModule pagespeed_module>
-        ModPagespeed Off
-</IfModule>
-<IfModule mod_headers.c>
-  Header set X-Content-Type-Options "nosniff"
-  Header set X-XSS-Protection "1; mode=block"
-  Header set X-Robots-Tag "none"
-  Header set X-Frame-Options "SAMEORIGIN"
-  <FilesMatch "\.(css|js)$">
-    Header set Cache-Control "max-age=7200, public"
-  </FilesMatch>
+  ModPagespeed Off
 </IfModule>
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index d5bd1c465b2c28d3d7a292fcb6a416817d0ba89c..67925d75d343ff4503c48b0768e95924756bad49 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -115,9 +115,9 @@
 				};
 
 				for (var header in securityHeaders) {
-					if(xhr.getResponseHeader(header) !== securityHeaders[header]) {
+					if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
 						messages.push(
-							t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
+							t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
 						);
 					}
 				}
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index 487e28a6204fbedb31de3017f283e5b1bbc39d8f..70f64432e9e3e7e518ca94b58043897edb3e36e3 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() {
 			);
 
 			async.done(function( data, s, x ){
-				expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']);
+				expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']);
 				done();
 			});
 		});
@@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() {
 					'X-Robots-Tag': 'none',
 					'X-Frame-Options': 'SAMEORIGIN',
 					'Strict-Transport-Security': '2678400'
-
 				}
 			);
 
 			async.done(function( data, s, x ){
-				expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']);
+				expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']);
 				done();
 			});
 		});
@@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() {
 
 		async.done(function( data, s, x ){
 			expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']);
-				done();
+			done();
 		});
 	});
 
@@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() {
 		);
 		async.done(function( data, s, x ){
 			expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']);
-				done();
+			done();
 		});
 	});
 
@@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() {
 
 		async.done(function( data, s, x ){
 			expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
-				done();
+			done();
 		});
 	});
 
diff --git a/lib/private/response.php b/lib/private/response.php
index e0d48c7476bfdea1935327194615127c7029e373..ba458cb6afd0342bfa8118ec994634763a85aa3f 100644
--- a/lib/private/response.php
+++ b/lib/private/response.php
@@ -229,6 +229,15 @@ class OC_Response {
 			. 'media-src *; ' 
 			. 'connect-src *';
 		header('Content-Security-Policy:' . $policy);
+
+		// Send fallback headers for installations that don't have the possibility to send
+		// custom headers on the webserver side
+		if(getenv('modHeadersAvailable') !== 'true') {
+			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+		}
 	}
 
 }
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index 42ae42a4d02a5219f8610855d23f8418cb3d9b04..f37b541e421f951e9faac0fbd53e55a759da8d81 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -444,6 +444,7 @@ if ($_['cronErrors']) {
 		<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li>
 		<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li>
 		<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li>
+		<li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li>
 	</ul>
 </div>