diff --git a/server/routes/install-routes.js b/server/routes/install-routes.js
index 7613dc6..fceaf9b 100644
--- a/server/routes/install-routes.js
+++ b/server/routes/install-routes.js
@@ -6,9 +6,11 @@ const asyncHandler = require('../lib/express-async-handler');
 
 const { handleTracingMiddleware } = require('../tracing/tracing-middleware');
 const getVersionTags = require('../lib/get-version-tags');
+const preventClickjackingMiddleware = require('./prevent-clickjacking-middleware');
 
 function installRoutes(app) {
   app.use(handleTracingMiddleware);
+  app.use(preventClickjackingMiddleware);
 
   let healthCheckResponse;
   app.get(
diff --git a/server/routes/prevent-clickjacking-middleware.js b/server/routes/prevent-clickjacking-middleware.js
new file mode 100644
index 0000000..4e95ba7
--- /dev/null
+++ b/server/routes/prevent-clickjacking-middleware.js
@@ -0,0 +1,10 @@
+'use strict';
+
+// Don't allow others to iframe embed which can lead to clickjacking
+function preventClickjackingMiddleware(req, res, next) {
+  res.set('X-Frame-Options', 'DENY');
+
+  next();
+}
+
+module.exports = preventClickjackingMiddleware;