diff --git a/packages/server/src/app.ts b/packages/server/src/app.ts
index ee88c49e8..a59f699ad 100644
--- a/packages/server/src/app.ts
+++ b/packages/server/src/app.ts
@@ -18,6 +18,7 @@ import { initializeJoplinUtils } from './utils/joplinUtils';
 import startServices from './utils/startServices';
 import { credentialFile } from './utils/testing/testUtils';
 import apiVersionHandler from './middleware/apiVersionHandler';
+import clickJackingHandler from './middleware/clickJackingHandler';
 
 const cors = require('@koa/cors');
 const nodeEnvFile = require('node-env-file');
@@ -171,6 +172,7 @@ async function main() {
 	app.use(apiVersionHandler);
 	app.use(ownerHandler);
 	app.use(notificationHandler);
+	app.use(clickJackingHandler);
 	app.use(routeHandler);
 
 	await initConfig(env, envVariables);
diff --git a/packages/server/src/middleware/clickJackingHandler.ts b/packages/server/src/middleware/clickJackingHandler.ts
new file mode 100644
index 000000000..75033a3c9
--- /dev/null
+++ b/packages/server/src/middleware/clickJackingHandler.ts
@@ -0,0 +1,8 @@
+import { AppContext, KoaNext } from '../utils/types';
+
+export default async function(ctx: AppContext, next: KoaNext): Promise<void> {
+	// https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
+	ctx.response.set('Content-Security-Policy', 'frame-ancestors \'none\'');
+	ctx.response.set('X-Frame-Options', 'DENY');
+	return next();
+}