diff --git a/api/http/handler/file/handler.go b/api/http/handler/file/handler.go
index 15ec1417f..464062be1 100644
--- a/api/http/handler/file/handler.go
+++ b/api/http/handler/file/handler.go
@@ -33,5 +33,9 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else {
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	}
+
+	w.Header().Add("X-Frame-Options", "DENY")
+	w.Header().Add("X-XSS-Protection", "1; mode=block")
+	w.Header().Add("X-Content-Type-Options", "nosniff")
 	handler.Handler.ServeHTTP(w, r)
 }
diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index 798d37f7b..5aad463f1 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -114,8 +114,9 @@ func (bouncer *RequestBouncer) EndpointAccess(r *http.Request, endpoint *portain
 // mwSecureHeaders provides secure headers middleware for handlers.
 func mwSecureHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Add("X-Content-Type-Options", "nosniff")
 		w.Header().Add("X-Frame-Options", "DENY")
+		w.Header().Add("X-XSS-Protection", "1; mode=block")
+		w.Header().Add("X-Content-Type-Options", "nosniff")
 		next.ServeHTTP(w, r)
 	})
 }
diff --git a/app/portainer/views/teams/teamsController.js b/app/portainer/views/teams/teamsController.js
index 9b63b234e..6c01427ac 100644
--- a/app/portainer/views/teams/teamsController.js
+++ b/app/portainer/views/teams/teamsController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('TeamsController', ['$q', '$scope', '$state', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
-function ($q, $scope, $state, TeamService, UserService, ModalService, Notifications, Authentication) {
+.controller('TeamsController', ['$q', '$scope', '$state', '$sanitize', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
+function ($q, $scope, $state, $sanitize, TeamService, UserService, ModalService, Notifications, Authentication) {
   $scope.state = {
     actionInProgress: false
   };
@@ -22,7 +22,7 @@ function ($q, $scope, $state, TeamService, UserService, ModalService, Notificati
   };
 
   $scope.addTeam = function() {
-    var teamName = $scope.formValues.Name;
+    var teamName = $sanitize($scope.formValues.Name);
     var leaderIds = [];
     angular.forEach($scope.formValues.Leaders, function(user) {
       leaderIds.push(user.Id);