diff --git a/.env.sample b/.env.sample
index eecdab7..b95b70b 100644
--- a/.env.sample
+++ b/.env.sample
@@ -10,4 +10,4 @@ LETS_ENCRYPT_ENV=production
 SECRET_DB_PASSWORD_VERSION=v1
 
 RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1', 'your-traefik_app']
-
+X_FRAME_OPTIONS_ALLOW_FROM=none
diff --git a/compose.yml b/compose.yml
index bf49416..5008497 100644
--- a/compose.yml
+++ b/compose.yml
@@ -81,6 +81,7 @@ services:
     environment:
       - NGINX_SERVER_SCHEME=https
       - RAILS_TRUSTED_PROXIES
+      - X_FRAME_OPTIONS_ALLOW_FROM
     deploy:
       restart_policy:
         condition: on-failure
@@ -90,6 +91,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-frameOptions"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=allow-from *.local-it.cloud"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"