diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9559e5f1..f7eca9c3e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
3. [](#bugfix)
* Fixed regression `Argument 4 passed to Grav\Plugin\Form\TwigExtension::prepareFormField() must be of the type array` [#2177](https://github.com/getgrav/grav-plugin-admin/issues/2177)
+ * Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack
# v1.10.19
## 08/31/2021
diff --git a/classes/plugin/Router.php b/classes/plugin/Router.php
index 2c866616b..c9e32177f 100644
--- a/classes/plugin/Router.php
+++ b/classes/plugin/Router.php
@@ -67,6 +67,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
$this->stopTimer();
// Never allow admin pages to be rendered in ,