diff --git a/server/httputil/headers.go b/server/httputil/headers.go
index 8594f43298f4e86e28749d50c1b50472617e2145..b71235384c4329d9196aa33c02ea01c3050fa955 100644
--- a/server/httputil/headers.go
+++ b/server/httputil/headers.go
@@ -12,7 +12,7 @@ func WithDynamicHeaders(h http.Handler, csp string) http.Handler {
 		hdr.Set("Pragma", "no-cache")
 		hdr.Set("Cache-Control", "no-store")
 		hdr.Set("Expires", "-1")
-		hdr.Set("X-Frame-Options", "NONE")
+		hdr.Set("X-Frame-Options", "deny")
 		hdr.Set("X-XSS-Protection", "1; mode=block")
 		hdr.Set("X-Content-Type-Options", "nosniff")
 		if csp != "" && hdr.Get("Content-Security-Policy") == "" {