diff --git a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
index e6ee172c2..4fb74a091 100644
--- a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@@ -1,6 +1,7 @@
 package run.halo.app.config;
 
 import static org.springframework.security.config.Customizer.withDefaults;
+import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN;
 
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.JWKSet;
@@ -60,6 +61,9 @@ public class WebServerSecurityConfig {
             .access(new RequestInfoAuthorizationManager(roleService))
             .pathMatchers("/**").permitAll()
             .and()
+            .headers()
+            .frameOptions().mode(SAMEORIGIN)
+            .and()
             .anonymous(anonymousSpec -> {
                 anonymousSpec.authorities(AnonymousUserConst.Role);
                 anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);