diff --git a/src/apps.js b/src/apps.js
index 3746deba2..a5c47bad8 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -262,6 +262,7 @@ function getAppConfig(app) {
         accessRestriction: app.accessRestriction,
         portBindings: app.portBindings,
         memoryLimit: app.memoryLimit,
+        xFrameOptions: app.xFrameOptions,
         altDomain: app.altDomain
     };
 }
@@ -541,6 +542,12 @@ function configure(appId, data, auditSource, callback) {
             values.memoryLimit = values.memoryLimit || app.memoryLimit || app.manifest.memoryLimit || constants.DEFAULT_MEMORY_LIMIT;
         }
 
+        if ('xFrameOptions' in data) {
+            values.xFrameOptions = data.xFrameOptions;
+            error = validateXFrameOptions(values.xFrameOptions);
+            if (error) return callback(error);
+        }
+
         // save cert to data/box/certs. TODO: move this to apptask when we have a real task queue
         if ('cert' in data && 'key' in data) {
             if (data.cert && data.key) {
@@ -782,6 +789,7 @@ function clone(appId, data, auditSource, callback) {
                     installationState: appdb.ISTATE_PENDING_CLONE,
                     memoryLimit: app.memoryLimit,
                     accessRestriction: app.accessRestriction,
+                    xFrameOptions: app.xFrameOptions,
                     lastBackupId: backupId
                 };
 
diff --git a/src/nginx.js b/src/nginx.js
index 1a0d6a16a..b103c0f60 100644
--- a/src/nginx.js
+++ b/src/nginx.js
@@ -75,7 +75,7 @@ function configureApp(app, certFilePath, keyFilePath, callback) {
         endpoint: endpoint,
         certFilePath: certFilePath,
         keyFilePath: keyFilePath,
-        xFrameOptions: app.xFrameOptions || 'SAMEORIGIN'
+        xFrameOptions: app.xFrameOptions || 'SAMEORIGIN'    // once all apps have been updated/
     };
     var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
 
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 707f63fa1..f2b20347a 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -53,7 +53,8 @@ function removeInternalAppFields(app) {
         iconUrl: app.iconUrl,
         fqdn: app.fqdn,
         memoryLimit: app.memoryLimit,
-        altDomain: app.altDomain
+        altDomain: app.altDomain,
+        xFrameOptions: app.xFrameOptions
     };
 }
 
@@ -120,6 +121,8 @@ function installApp(req, res, next) {
     // falsy value in altDomain unsets it
     if (data.altDomain && typeof data.altDomain !== 'string') return next(new HttpError(400, 'altDomain must be a string'));
 
+    if (data.xFrameOptions && typeof data.xFrameOptions !== 'string') return next(new HttpError(400, 'xFrameOptions must be a string'));
+
     debug('Installing app id:%s data:%j', data);
 
     apps.install(data, auditSource(req), function (error, app) {
@@ -155,6 +158,7 @@ function configureApp(req, res, next) {
 
     if ('memoryLimit' in data && typeof data.memoryLimit !== 'number') return next(new HttpError(400, 'memoryLimit is not a number'));
     if (data.altDomain && typeof data.altDomain !== 'string') return next(new HttpError(400, 'altDomain must be a string'));
+    if (data.xFrameOptions && typeof data.xFrameOptions !== 'string') return next(new HttpError(400, 'xFrameOptions must be a string'));
 
     debug('Configuring app id:%s data:%j', req.params.id, data);