diff --git a/src/nginxconfig/generators/conf/security.conf.js b/src/nginxconfig/generators/conf/security.conf.js
index f82d1d8..3b8ef7d 100644
--- a/src/nginxconfig/generators/conf/security.conf.js
+++ b/src/nginxconfig/generators/conf/security.conf.js
@@ -30,7 +30,6 @@ export default (domains, global) => {
     const config = [];
 
     config.push(['# security headers', '']);
-    config.push(['add_header X-Frame-Options', '"SAMEORIGIN" always']);
     config.push(['add_header X-XSS-Protection', '"1; mode=block" always']);
     config.push(['add_header X-Content-Type-Options', '"nosniff" always']);
     config.push(['add_header Referrer-Policy', `"${global.security.referrerPolicy.computed}" always`]);
diff --git a/src/nginxconfig/templates/global_sections/security.vue b/src/nginxconfig/templates/global_sections/security.vue
index f3f73e3..bf233f7 100644
--- a/src/nginxconfig/templates/global_sections/security.vue
+++ b/src/nginxconfig/templates/global_sections/security.vue
@@ -161,7 +161,7 @@ THE SOFTWARE.
             enabled: true,
         },
         contentSecurityPolicy: {
-            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'',
+            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'; frame-ancestors \'self\';',
             enabled: true,
         },
         serverTokens: {