diff --git a/src/base/http/types.h b/src/base/http/types.h
index d748d9342..ae401c719 100644
--- a/src/base/http/types.h
+++ b/src/base/http/types.h
@@ -43,6 +43,7 @@ namespace Http
     const QString HEADER_CONTENT_ENCODING = "Content-Encoding";
     const QString HEADER_CONTENT_LENGTH = "Content-Length";
     const QString HEADER_CACHE_CONTROL = "Cache-Control";
+    const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
 
     const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
     const QString CONTENT_TYPE_GIF = "image/gif";
diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index c0e42bf0a..738f7f4c2 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
     request_ = request;
     env_ = env;
 
-    clear(); // clear response
+    // clear response
+    clear();
+
+    // avoid clickjacking attacks
+    header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
 
     sessionInitialize();
     if (!sessionActive() && !isAuthNeeded())