It appears we're each partially right: If you generated a new Rails app after August 2012, you get the header by default. If you generated the app before August 2012, you do not get the header by default.
So PSA: Updating Rails in an existing app does not cause this header to be added. You must add it yourself in application.rb if it's not already there. See garethadams' footnote #2 above.
[1]: https://github.com/rails/rails/blob/master/guides/source/sec... [2]: https://github.com/rails/rails/commit/2a290f7f7cdf775491eda0...