diff --git a/src/Routing/Middleware/SecurityMiddleware.php b/src/Routing/Middleware/SecurityMiddleware.php
index 58fe98d266e..5a93a01f556 100644
--- a/src/Routing/Middleware/SecurityMiddleware.php
+++ b/src/Routing/Middleware/SecurityMiddleware.php
@@ -96,7 +96,7 @@ public function setReferrerPolicy($policy = 'same-origin')
      *
      * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
      *
-     * @param string $mode Mode value
+     * @param string $option Option value
      * @param string $url URL if mode is `allow-from`
      * @return $this
      */
@@ -126,13 +126,15 @@ public function setXFrameOptions($option = 'sameorigin', $url = null)
      * @param string $mode Mode value
      * @return $this
      */
-    public function setXssProtection($mode = '1; mode=block')
+    public function setXssProtection($mode = 'block')
     {
+        $mode = (string)$mode;
+
         if ($mode === 'block') {
             $mode = '1; mode=block';
         }
 
-        $this->checkValues($mode, ['all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename']);
+        $this->checkValues($mode, ['1', '0', '1; mode=block']);
         $this->headers['x-permitted-cross-domain-policies'] = $mode;
 
         return $this;
@@ -159,7 +161,7 @@ public function setCrossDomainPolicy($policy = 'all')
     /**
      * Convenience method to check if a value is in the list of allowed args
      *
-     * @throws \InvalidArgumentException Thown when a value is invalid.
+     * @throws \InvalidArgumentException Thrown when a value is invalid.
      * @param string $value
      * @param array $allowed
      * @return void
@@ -167,8 +169,8 @@ public function setCrossDomainPolicy($policy = 'all')
     protected function checkValues($value, array $allowed)
     {
         if (!in_array($value, $allowed)) {
-            throw new InvalidArgumentException(
-                sprintf('Invalid arg `%s`, use one of these: %s',
+            throw new InvalidArgumentException(sprintf(
+                'Invalid arg `%s`, use one of these: %s',
                     $value,
                     implode(', ', $allowed)
                 )
diff --git a/tests/TestCase/Routing/Middleware/SecurityMiddlewareTest.php b/tests/TestCase/Routing/Middleware/SecurityMiddlewareTest.php
new file mode 100644
index 00000000000..3f8c10a5c09
--- /dev/null
+++ b/tests/TestCase/Routing/Middleware/SecurityMiddlewareTest.php
@@ -0,0 +1,73 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @link          http://cakephp.org CakePHP(tm) Project
+ * @since         3.5.0
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace Cake\Test\TestCase\Routing\Middleware;
+
+use Cake\Http\ServerRequestFactory;
+use Cake\Routing\Middleware\SecurityMiddleware;
+use Cake\TestSuite\TestCase;
+use Zend\Diactoros\Response;
+
+/**
+ * Test for SecurityMiddleware
+ */
+class SecurityMiddlewareTest extends TestCase {
+
+    /**
+     * Test adding the security headers
+     *
+     * @return void
+     */
+    public function testAddingSecurityHeaders()
+    {
+        $request = ServerRequestFactory::fromGlobals([
+            'REQUEST_URI' => '/',
+        ]);
+        $response = new Response();
+        $next = function ($req, $res) {
+            return $res;
+        };
+
+        $middleware = new SecurityMiddleware();
+        $middleware
+            ->setCrossDomainPolicy()
+            ->setReferrerPolicy()
+            ->setXFrameOptions()
+            ->setXssProtection()
+            ->noOpen()
+            ->noSniff();
+
+        $expected = [
+            'x-permitted-cross-domain-policies' => [
+                0 => '1; mode=block'
+            ],
+            'referrer-policy' => [
+                0 => 'same-origin'
+            ],
+            'x-frame-options' => [
+                0 => 'sameorigin'
+            ],
+            'x-download-options' => [
+                0 => 'noopen'
+            ],
+            'x-content-type-options' => [
+                0 => 'nosniff'
+            ]
+
+        ];
+
+        $result = $middleware($request, $response, $next);
+        $this->assertEquals($expected, $result->getHeaders());
+    }
+}