diff --git a/.github/workflows/cd/cloudretro.io/config.yaml b/.github/workflows/cd/cloudretro.io/config.yaml
index 64eb7807..180a570e 100644
--- a/.github/workflows/cd/cloudretro.io/config.yaml
+++ b/.github/workflows/cd/cloudretro.io/config.yaml
@@ -4,6 +4,7 @@ coordinator:
   debug: true
   server:
     address:
+    frameOptions: SAMEORIGIN
     https: true
     tls:
       domain: cloudretro.io
diff --git a/pkg/config/config.yaml b/pkg/config/config.yaml
index 7168a5c5..f6c9a9d7 100644
--- a/pkg/config/config.yaml
+++ b/pkg/config/config.yaml
@@ -60,6 +60,7 @@ coordinator:
   server:
     address: :8000
     cacheControl: "max-age=259200, must-revalidate"
+    frameOptions: ""
     https: false
     # Letsencrypt or self cert config
     tls:
diff --git a/pkg/config/shared.go b/pkg/config/shared.go
index ae99d289..2847048a 100644
--- a/pkg/config/shared.go
+++ b/pkg/config/shared.go
@@ -32,6 +32,7 @@ func (c *Monitoring) IsEnabled() bool { return c.MetricEnabled || c.ProfilingEna
 type Server struct {
 	Address      string
 	CacheControl string
+	FrameOptions string
 	Https        bool
 	Tls          struct {
 		Address   string
diff --git a/pkg/coordinator/coordinator.go b/pkg/coordinator/coordinator.go
index cb80b739..9a257457 100644
--- a/pkg/coordinator/coordinator.go
+++ b/pkg/coordinator/coordinator.go
@@ -95,6 +95,9 @@ func index(conf config.CoordinatorConfig, log *logger.Logger) httpx.Handler {
 			if conf.Coordinator.Server.CacheControl != "" {
 				w.Header().Add("Cache-Control", conf.Coordinator.Server.CacheControl)
 			}
+			if conf.Coordinator.Server.FrameOptions != "" {
+				w.Header().Add("X-Frame-Options", conf.Coordinator.Server.FrameOptions)
+			}
 			if r.URL.Path == "/" || strings.HasSuffix(r.URL.Path, "/index.html") {
 				tpl := template.Must(template.ParseFiles(indexHTML))
 				handler(tpl, w, r)
@@ -108,6 +111,9 @@ func index(conf config.CoordinatorConfig, log *logger.Logger) httpx.Handler {
 		if conf.Coordinator.Server.CacheControl != "" {
 			w.Header().Add("Cache-Control", conf.Coordinator.Server.CacheControl)
 		}
+		if conf.Coordinator.Server.FrameOptions != "" {
+			w.Header().Add("X-Frame-Options", conf.Coordinator.Server.FrameOptions)
+		}
 		if r.URL.Path == "/" || strings.HasSuffix(r.URL.Path, "/index.html") {
 			handler(indexTpl, w, r)
 			return