diff --git a/examples/response-headers/main.tf b/examples/response-headers/main.tf
index 0f50cba..3f940c6 100644
--- a/examples/response-headers/main.tf
+++ b/examples/response-headers/main.tf
@@ -2,14 +2,6 @@ module "custom_resp_headers" {
   source = "../../modules/response-headers"
 
   name = "custom-response-headers"
-  strict_transport_security_header = {
-    enabled  = true
-    override = true
-
-    max_age            = 31536000
-    include_subdomains = true
-    preload            = true
-  }
 
   custom_headers = [
     {
@@ -23,3 +15,13 @@ module "custom_resp_headers" {
     sampling_rate = 100
   }
 }
+
+module "override_default" {
+  source = "../../modules/response-headers"
+
+  name = "override-default-response-headers"
+
+  xss_protection_header = {
+    enabled = false
+  }
+}
diff --git a/examples/response-headers/versions.tf b/examples/response-headers/versions.tf
index 6e208d5..78c4eb5 100644
--- a/examples/response-headers/versions.tf
+++ b/examples/response-headers/versions.tf
@@ -2,6 +2,7 @@ terraform {
   required_version = ">= 1.3"
 
   required_providers {
+    # tflint-ignore: terraform_unused_required_providers
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.38"
diff --git a/modules/response-headers/README.md b/modules/response-headers/README.md
index 7aeb91e..3ba5347 100644
--- a/modules/response-headers/README.md
+++ b/modules/response-headers/README.md
@@ -27,17 +27,17 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_content_security_policy_header"></a> [content\_security\_policy\_header](#input\_content\_security\_policy\_header) | A configuration for `Content-Security-Policy` header in HTTP responses sent from CloudFront. The HTTP `Content-Security-Policy` response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks. `content_security_policy_header` as defined below.<br>    `enabled` - Whether to enable `Content-Security-Policy` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `Content-Security-Policy` response header with the header received from the origin. Defaults to `true`.<br>    `value` - The value for the `Content-Security-Policy` HTTP response header. The `Content-Security-Policy` header value is limited to 1783 characters. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br>    value    = optional(string, "")<br>  })</pre> | `{}` | no |
-| <a name="input_content_type_options_header"></a> [content\_type\_options\_header](#input\_content\_type\_options\_header) | A configuration for `X-Content-Type-Options` header in HTTP responses sent from CloudFront. The `X-Content-Type-Options` response HTTP header is a marker used by the server to indicate that the MIME types advertised in the `Content-Type` headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. `content_type_options_header` as defined below.<br>    `enabled` - Whether to enable `X-Content-Type-Options` response header. When this setting is `true`, CloudFront adds the `X-Content-Type-Options: nosniff` header to response. (Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.) Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-Content-Type-Options` response header with the header received from the origin. Defaults to `true`. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br>  })</pre> | `{}` | no |
+| <a name="input_content_type_options_header"></a> [content\_type\_options\_header](#input\_content\_type\_options\_header) | A configuration for `X-Content-Type-Options` header in HTTP responses sent from CloudFront. The `X-Content-Type-Options` response HTTP header is a marker used by the server to indicate that the MIME types advertised in the `Content-Type` headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. `content_type_options_header` as defined below.<br>    `enabled` - Whether to enable `X-Content-Type-Options` response header. When this setting is `true`, CloudFront adds the `X-Content-Type-Options: nosniff` header to response. (Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.) Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-Content-Type-Options` response header with the header received from the origin. Defaults to `true`. | <pre>object({<br>    enabled  = optional(bool, true)<br>    override = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_cors"></a> [cors](#input\_cors) | A configuration for a set of HTTP response headers for CORS(Cross-Origin Resource Sharing). `cors` as defined below.<br>    `enabled` - Whether to enable CORS configuration for the response headers policy .<br>    `override` - Whether CloudFront override the response from the origin which contains one of the CORS headers specified in this policy. Defaults to `true`.<br>    `access_control_allow_credentials` - Whether CloudFront adds the `Access-Control-Allow-Credentials` header in responses to CORS requests. When enabled, CloudFront adds the `Access-Control-Allow-Credentials: true` header in responses to CORS requests. Otherwise, CloudFront doesn't add this header to responses. Defaults to `false`.<br>    `access_control_allow_headers` - A set of HTTP header names for CloudFront to include as values for the `Access-Control-Allow-Headers` HTTP response header in responses to CORS preflight requests. Defaults to `["*"]` (All headers).<br>    `access_control_allow_methods` - A set of HTTP methods for CloudFront to include as values for the `Access-Control-Allow-Methods` header in responses to CORS preflight requests. Valid values are `GET`, `DELETE`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, or `ALL`). Defaults to `ALL` (All methods).<br>    `access_control_allow_origins` - A set of the origins that CloudFront can use as values in the `Access-Control-Allow-Origin` response header. Use `*` value to allow CORS requests from all origins. Defaults to `["*"]` (All origins).<br>    `access_control_expose_headers` - A set of HTTP header names for CloudFront to include as values for the `Access-Control-Expose-Headers` header in responses to CORS requests. Defaults to `[]` (None).<br>    `access_control_max_age` - The number of seconds for CloudFront to use as the value for the `Access-Control-Max-Age` header in responses to CORS preflight requests. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br><br>    access_control_allow_credentials = optional(bool, false)<br>    access_control_allow_headers     = optional(set(string), ["*"])<br>    access_control_allow_methods     = optional(set(string), ["ALL"])<br>    access_control_allow_origins     = optional(set(string), ["*"])<br>    access_control_expose_headers    = optional(set(string), [])<br>    access_control_max_age           = optional(number, 600)<br>  })</pre> | `{}` | no |
 | <a name="input_custom_headers"></a> [custom\_headers](#input\_custom\_headers) | A configuration for specifying the custom HTTP headers in HTTP responses sent from CloudFront. Each item of `custom_headers` as defined below.<br>    `name` - The HTTP response header name.<br>    `value` - The value for the HTTP response header. If a header value is not provided, CloudFront adds the empty header (with no value) to the response.<br>    `override` - Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here. | <pre>list(object({<br>    name     = string<br>    value    = string<br>    override = optional(bool, false)<br>  }))</pre> | `[]` | no |
 | <a name="input_description"></a> [description](#input\_description) | A comment to describe the response headers policy. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_frame_options_header"></a> [frame\_options\_header](#input\_frame\_options\_header) | A configuration for `X-Frame-Options` header in HTTP responses sent from CloudFront. The `X-Frame-Options` HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>` or `<object>`. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. `frame_options_header` as defined below.<br>    `enabled` - Whether to enable `X-Frame-Options` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-Frame-Options` response header with the header received from the origin. Defaults to `true`.<br>    `value` - The value for the `X-Frame-Options` HTTP response header. Valid values are `DENY` or `SAMEORIGIN`.<br>      - `DENY`: The page cannot be displayed in a frame, regardless of the site attempting to do<br>      so.<br>      - `SAMEORIGIN`: The page can only be displayed if all ancestor frames are same origin to the page itself. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br>    value    = optional(string, "")<br>  })</pre> | `{}` | no |
+| <a name="input_frame_options_header"></a> [frame\_options\_header](#input\_frame\_options\_header) | A configuration for `X-Frame-Options` header in HTTP responses sent from CloudFront. The `X-Frame-Options` HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>` or `<object>`. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. `frame_options_header` as defined below.<br>    `enabled` - Whether to enable `X-Frame-Options` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-Frame-Options` response header with the header received from the origin. Defaults to `true`.<br>    `value` - The value for the `X-Frame-Options` HTTP response header. Valid values are `DENY` or `SAMEORIGIN`.<br>      - `DENY`: The page cannot be displayed in a frame, regardless of the site attempting to do<br>      so.<br>      - `SAMEORIGIN`: The page can only be displayed if all ancestor frames are same origin to the page itself. | <pre>object({<br>    enabled  = optional(bool, true)<br>    override = optional(bool, true)<br>    value    = optional(string, "DENY")<br>  })</pre> | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | A unique name to identify the response headers policy. | `string` | n/a | yes |
-| <a name="input_referrer_policy_header"></a> [referrer\_policy\_header](#input\_referrer\_policy\_header) | A configuration for `Referrer-Policy` header in HTTP responses sent from CloudFront. The `Referrer-Policy` HTTP header controls how much referrer information (sent with the `Referer` header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML. The original header name `Referer` is a misspelling of the word "referrer". The `Referrer-Policy` header does not share this misspelling. `referrer_policy_header` as defined below.<br>    `enabled` - Whether to enable `Referrer-Policy` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `Referrer-Policy` response header with the header received from the origin. Defaults to `true`.<br>    `value` - The value for the `Referrer-Policy` HTTP response header. Valid values are `no-referrer`, `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin`, `unsafe-url`. Defaults to `strict-origin-when-cross-origin`.<br>    - `strict-origin-when-cross-origin`: Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP). | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br>    value    = optional(string, "strict-origin-when-cross-origin")<br>  })</pre> | `{}` | no |
+| <a name="input_referrer_policy_header"></a> [referrer\_policy\_header](#input\_referrer\_policy\_header) | A configuration for `Referrer-Policy` header in HTTP responses sent from CloudFront. The `Referrer-Policy` HTTP header controls how much referrer information (sent with the `Referer` header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML. The original header name `Referer` is a misspelling of the word "referrer". The `Referrer-Policy` header does not share this misspelling. `referrer_policy_header` as defined below.<br>    `enabled` - Whether to enable `Referrer-Policy` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `Referrer-Policy` response header with the header received from the origin. Defaults to `true`.<br>    `value` - The value for the `Referrer-Policy` HTTP response header. Valid values are `no-referrer`, `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin`, `unsafe-url`. Defaults to `strict-origin-when-cross-origin`.<br>    - `strict-origin-when-cross-origin`: Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP). | <pre>object({<br>    enabled  = optional(bool, true)<br>    override = optional(bool, true)<br>    value    = optional(string, "same-origin")<br>  })</pre> | `{}` | no |
 | <a name="input_remove_headers"></a> [remove\_headers](#input\_remove\_headers) | A set of HTTP headers to remove from the HTTP response. | `set(string)` | `[]` | no |
 | <a name="input_server_timing_header"></a> [server\_timing\_header](#input\_server\_timing\_header) | A configuration for `Server-Timing` header in HTTP responses sent from CloudFront. This header can be used to view metrics for insights about CloudFront's behavior and performance. You can see which cache layer served a cache hit, the first byte latency from the origin when there was a cache miss. The metrics in the `Server-Timing` header can help you troubleshoot issues or test the efficiency of the CloudFront configuration. `server_timing_header` as defined below.<br>    `enabled` - Whether to add the `Server-Timing` header in HTTP response that match a cache behavior associated with this response headers policy. Defaults to `false`.<br>    `sampling_rate` - A number from 0 through 100 that specifies the percentage of responses that you want CloudFront to add the `Server-Timing` header to. When you set the sampling rate to `100`, CloudFront adds the `Server-Timing` header to the HTTP response for every request that matches the cache behavior that the response headers policy is attached to. Can have up to four decimal places like `9.9999`. | <pre>object({<br>    enabled       = optional(bool, false)<br>    sampling_rate = optional(number, 0)<br>  })</pre> | `{}` | no |
-| <a name="input_strict_transport_security_header"></a> [strict\_transport\_security\_header](#input\_strict\_transport\_security\_header) | A configuration for `Strict-Transport-Security` header in HTTP responses sent from CloudFront. The HTTP `Strict-Transport-Security` response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. Note: This is more secure than simply configuring a HTTP to HTTPS (301) redirect on your server, where the initial HTTP connection is still vulnerable to a man-in-the-middle attack. `strict_transport_security_header` as defined below.<br>    `enabled` - Whether to enable `Strict-Transport-Security` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `Strict-Transport-Security` response header with the header received from the origin. Defaults to `true`.<br>    `max_age` - The value for the `max-age` directive of this header. The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Defaults to `31536000` (365 days).<br>    `include_subdomains` - Whether CloudFront includes the `includeSubDomains` directive in the value of this header. When this setting is `true`, this rule applies to all of the site's subdomains as well. Defaults to `false`.<br>    `preload` - Whether CloudFront includes the `preload` directive in the header value. However, it is not part of the HSTS specification and should not be treated as official. Defaults to `false`. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br><br>    max_age            = optional(number, 60 * 60 * 24 * 365)<br>    include_subdomains = optional(bool, false)<br>    preload            = optional(bool, false)<br>  })</pre> | `{}` | no |
-| <a name="input_xss_protection_header"></a> [xss\_protection\_header](#input\_xss\_protection\_header) | Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.<br><br>    A configuration for `X-XSS-Protection` header in HTTP responses sent from CloudFront. The HTTP `X-XSS-Protection` response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong `Content-Security-Policy` that disables the use of inline JavaScript ('unsafe-inline'). `xss_protection_header` as defined below.<br>    `enabled` - Whether to enable `X-XSS-Protection` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-XSS-Protection` response header with the header received from the origin. Defaults to `true`.<br>    `filtering_enabled` - Whether to enable XSS filtering. The value of `X-XSS-Protection` will be set to `0` (XSS filtering is disabled) or `1` (XSS filtering is enabled). Defaults to `true`.<br>    `block` - Whether to enable `block`, which determines whether CloudFront includes the `mode=block` directive in the header value. Defaults to `false`.<br>    `report` - A reporting URI (in the `report` field), which determines whether CloudFront includes the `report='reporting URI'` directive in the header value. You can't specify a reporting URI when block is enabled. | <pre>object({<br>    enabled  = optional(bool, false)<br>    override = optional(bool, true)<br><br>    filtering_enabled = optional(bool, true)<br>    block             = optional(bool, false)<br>    report            = optional(string, "")<br>  })</pre> | `{}` | no |
+| <a name="input_strict_transport_security_header"></a> [strict\_transport\_security\_header](#input\_strict\_transport\_security\_header) | A configuration for `Strict-Transport-Security` header in HTTP responses sent from CloudFront. The HTTP `Strict-Transport-Security` response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. Note: This is more secure than simply configuring a HTTP to HTTPS (301) redirect on your server, where the initial HTTP connection is still vulnerable to a man-in-the-middle attack. `strict_transport_security_header` as defined below.<br>    `enabled` - Whether to enable `Strict-Transport-Security` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `Strict-Transport-Security` response header with the header received from the origin. Defaults to `true`.<br>    `max_age` - The value for the `max-age` directive of this header. The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Defaults to `31536000` (365 days).<br>    `include_subdomains` - Whether CloudFront includes the `includeSubDomains` directive in the value of this header. When this setting is `true`, this rule applies to all of the site's subdomains as well. Defaults to `false`.<br>    `preload` - Whether CloudFront includes the `preload` directive in the header value. However, it is not part of the HSTS specification and should not be treated as official. Defaults to `false`. | <pre>object({<br>    enabled  = optional(bool, true)<br>    override = optional(bool, true)<br><br>    max_age            = optional(number, 60 * 60 * 24 * 365)<br>    include_subdomains = optional(bool, true)<br>    preload            = optional(bool, true)<br>  })</pre> | `{}` | no |
+| <a name="input_xss_protection_header"></a> [xss\_protection\_header](#input\_xss\_protection\_header) | Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.<br><br>    A configuration for `X-XSS-Protection` header in HTTP responses sent from CloudFront. The HTTP `X-XSS-Protection` response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong `Content-Security-Policy` that disables the use of inline JavaScript ('unsafe-inline'). `xss_protection_header` as defined below.<br>    `enabled` - Whether to enable `X-XSS-Protection` response header. Defaults to `false`.<br>    `override` - Whether CloudFront overrides the `X-XSS-Protection` response header with the header received from the origin. Defaults to `true`.<br>    `filtering_enabled` - Whether to enable XSS filtering. The value of `X-XSS-Protection` will be set to `0` (XSS filtering is disabled) or `1` (XSS filtering is enabled). Defaults to `true`.<br>    `block` - Whether to enable `block`, which determines whether CloudFront includes the `mode=block` directive in the header value. Defaults to `false`.<br>    `report` - A reporting URI (in the `report` field), which determines whether CloudFront includes the `report='reporting URI'` directive in the header value. You can't specify a reporting URI when block is enabled. | <pre>object({<br>    enabled  = optional(bool, true)<br>    override = optional(bool, true)<br><br>    filtering_enabled = optional(bool, true)<br>    block             = optional(bool, true)<br>    report            = optional(string, "")<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
@@ -45,4 +45,5 @@ No modules.
 |------|-------------|
 | <a name="output_etag"></a> [etag](#output\_etag) | The current version of the response headers policy. |
 | <a name="output_id"></a> [id](#output\_id) | The identifier for the response headers policy. |
+| <a name="output_security_headers"></a> [security\_headers](#output\_security\_headers) | A configuration for several security-related HTTP response headers. |
 <!-- END_TF_DOCS -->
diff --git a/modules/response-headers/outputs.tf b/modules/response-headers/outputs.tf
index 3ce584e..7edbaf0 100644
--- a/modules/response-headers/outputs.tf
+++ b/modules/response-headers/outputs.tf
@@ -7,3 +7,15 @@ output "etag" {
   description = "The current version of the response headers policy."
   value       = aws_cloudfront_response_headers_policy.this.etag
 }
+
+output "security_headers" {
+  description = "A configuration for several security-related HTTP response headers."
+  value = {
+    content_security_policy   = var.content_security_policy_header
+    content_type_options      = var.content_type_options_header
+    frame_options             = var.frame_options_header
+    referrer_policy           = var.referrer_policy_header
+    strict_transport_security = var.strict_transport_security_header
+    xss_protection            = var.xss_protection_header
+  }
+}
diff --git a/modules/response-headers/tests/examples_response_headers.tftest.hcl b/modules/response-headers/tests/examples_response_headers.tftest.hcl
index 6c8935d..8dfd450 100644
--- a/modules/response-headers/tests/examples_response_headers.tftest.hcl
+++ b/modules/response-headers/tests/examples_response_headers.tftest.hcl
@@ -8,3 +8,49 @@ run "validate" {
     source = "../../examples/response-headers"
   }
 }
+
+run "validate_security_defaults" {
+  command = apply
+
+  module {
+    source = "../../examples/response-headers"
+  }
+
+  assert {
+    condition     = module.custom_resp_headers.security_headers.strict_transport_security.enabled == true
+    error_message = "HSTS should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.frame_options.enabled == true) && (module.custom_resp_headers.security_headers.frame_options.value == "DENY")
+    error_message = "Frame options should be enabled and deny"
+  }
+
+  assert {
+    condition     = module.custom_resp_headers.security_headers.content_type_options.enabled == true
+    error_message = "Content type options should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.xss_protection.enabled == true) && (module.custom_resp_headers.security_headers.xss_protection.block == true)
+    error_message = "XSS protection should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.referrer_policy.enabled == true) && (module.custom_resp_headers.security_headers.referrer_policy.value == "same-origin")
+    error_message = "Referrer policy should be enabled with `same-origin`"
+  }
+}
+
+run "override_defaults" {
+  command = apply
+
+  module {
+    source = "../../examples/response-headers"
+  }
+
+  assert {
+    condition     = module.override_default.security_headers.xss_protection.enabled == false
+    error_message = "XSS protection can be disabled"
+  }
+}
diff --git a/modules/response-headers/variables.tf b/modules/response-headers/variables.tf
index d0219ee..5e1f60b 100644
--- a/modules/response-headers/variables.tf
+++ b/modules/response-headers/variables.tf
@@ -105,7 +105,7 @@ variable "content_type_options_header" {
     `override` - Whether CloudFront overrides the `X-Content-Type-Options` response header with the header received from the origin. Defaults to `true`.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
   })
   default  = {}
@@ -124,9 +124,9 @@ variable "frame_options_header" {
       - `SAMEORIGIN`: The page can only be displayed if all ancestor frames are same origin to the page itself.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
-    value    = optional(string, "")
+    value    = optional(string, "DENY")
   })
   default  = {}
   nullable = false
@@ -150,9 +150,9 @@ variable "referrer_policy_header" {
     - `strict-origin-when-cross-origin`: Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
-    value    = optional(string, "strict-origin-when-cross-origin")
+    value    = optional(string, "same-origin")
   })
   default  = {}
   nullable = false
@@ -174,12 +174,12 @@ variable "strict_transport_security_header" {
     `preload` - Whether CloudFront includes the `preload` directive in the header value. However, it is not part of the HSTS specification and should not be treated as official. Defaults to `false`.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
 
     max_age            = optional(number, 60 * 60 * 24 * 365)
-    include_subdomains = optional(bool, false)
-    preload            = optional(bool, false)
+    include_subdomains = optional(bool, true)
+    preload            = optional(bool, true)
   })
   default  = {}
   nullable = false
@@ -198,11 +198,11 @@ variable "xss_protection_header" {
     `report` - A reporting URI (in the `report` field), which determines whether CloudFront includes the `report='reporting URI'` directive in the header value. You can't specify a reporting URI when block is enabled.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
 
     filtering_enabled = optional(bool, true)
-    block             = optional(bool, false)
+    block             = optional(bool, true)
     report            = optional(string, "")
   })
   default  = {}