diff --git a/setup/start/nginx/appconfig.ejs b/setup/start/nginx/appconfig.ejs
index b305eb0f1..ef921f87b 100644
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -24,6 +24,9 @@ server {
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
+    add_header X-Frame-Options SAMEORIGIN;
+
     proxy_http_version 1.1;
     proxy_intercept_errors on;
     proxy_read_timeout       3500;