diff --git a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
index 23f13695d32f9f87a8e3880c9c8eb5b05cd6c287..b5fc2aaf25a685b87fdd1f423ed6f2f7bfcb9e1f 100644
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -121,7 +121,7 @@ public function onRespond(ResponseEvent $event) {
     // Prevent browsers from sniffing a response and picking a MIME type
     // different from the declared content-type, since that can lead to
     // XSS and other vulnerabilities.
-    // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    // https://owasp.org/www-project-secure-headers
     $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
     $response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);