diff --git a/src/appdb.js b/src/appdb.js
index 897542040..64fa70b0a 100644
--- a/src/appdb.js
+++ b/src/appdb.js
@@ -92,6 +92,9 @@ function postProcess(result) {
     result.accessRestriction = safe.JSON.parse(result.accessRestrictionJson);
     if (result.accessRestriction && !result.accessRestriction.users) result.accessRestriction.users = [];
     delete result.accessRestrictionJson;
+
+    // TODO remove later once all apps have this attribute
+    result.xFrameOptions = result.xFrameOptions || 'SAMEORIGIN';
 }
 
 function get(id, callback) {
diff --git a/src/apps.js b/src/apps.js
index a5c47bad8..90a1dd0c1 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -262,7 +262,7 @@ function getAppConfig(app) {
         accessRestriction: app.accessRestriction,
         portBindings: app.portBindings,
         memoryLimit: app.memoryLimit,
-        xFrameOptions: app.xFrameOptions,
+        xFrameOptions: app.xFrameOptions || 'SAMEORIGIN',
         altDomain: app.altDomain
     };
 }