diff --git a/templates/includes/header.php b/templates/includes/header.php
index 5db1b5c4702a5a3b0f75e81ef7c0462d9fdbe021..ee24a9257d6d4ad3c733f15e452f5cefc71c0847 100644
--- a/templates/includes/header.php
+++ b/templates/includes/header.php
@@ -29,8 +29,16 @@ if (array_key_exists('pageid', $this->data)) {
 }
 // - o - o - o - o - o - o - o - o - o - o - o - o -
 
-
-
+/**
+ * Do not allow to frame simpleSAMLphp pages from another location.
+ * This prevents clickjacking attacks in modern browsers.
+ *
+ * If you don't want any framing at all you can even change this to
+ * 'DENY', or comment it out if you actually want to allow foreign
+ * sites to put simpleSAMLphp in a frame. The latter is however
+ * probably not a good security practice.
+ */
+header('X-Frame-Options: SAMEORIGIN');
 
 ?>
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">