diff --git a/docs/references/api.md b/docs/references/api.md
index d3921688f..c11c7618d 100644
--- a/docs/references/api.md
+++ b/docs/references/api.md
@@ -117,7 +117,8 @@ Request:
     cert: <string>,                  // pem encoded TLS cert
     key: <string>,                   // pem encoded TLS key
     memoryLimit: <number>,           // memory constraint in bytes
-    altDomain: <string>              // alternate domain from which this app can be reached
+    altDomain: <string>,             // alternate domain from which this app can be reached
+    xFrameOptions: <string>          // set X-Frame-Options header, to control app embedding in other pages
 }
 ```
 
@@ -143,6 +144,9 @@ provided, a 400 will be returned.
 
 If `altDomain` is set, the app can be accessed from `https://<altDomain>`.
 
+`xFrameOptions` is set to `SAMEORIGIN` unless otherwise specified. This property can hold one value of either `DENY`, `SAMEORIGIN` or `ALLOW-FROM https://example.com/`.
+Read more about this [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
+
 Response (200):
 
 ```
@@ -450,7 +454,8 @@ Request:
     cert: <string>,                 // pem encoded TLS cert
     key: <string>,                  // pem encoded TLS key
     memoryLimit: <number>,          // memory constraint in bytes
-    altDomain: <string>             // alternate domain from which this app can be reached
+    altDomain: <string>,            // alternate domain from which this app can be reached
+    xFrameOptions: <string>         // set X-Frame-Options header, to control app embedding in other pages
 ```
 
 All values are optional. See [Install app](/references/api.html#install-app) API for field descriptions.