diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9559e5f1..f7eca9c3e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 3. [](#bugfix)
     * Fixed regression `Argument 4 passed to Grav\Plugin\Form\TwigExtension::prepareFormField() must be of the type array` [#2177](https://github.com/getgrav/grav-plugin-admin/issues/2177)
+    * Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack
 
 # v1.10.19
 ## 08/31/2021
diff --git a/classes/plugin/Router.php b/classes/plugin/Router.php
index 2c866616b..c9e32177f 100644
--- a/classes/plugin/Router.php
+++ b/classes/plugin/Router.php
@@ -67,6 +67,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $this->stopTimer();
 
         // Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
-        return $response->withHeader('X-Frame-Options', 'NONE');
+        return $response->withHeader('X-Frame-Options', 'DENY');
     }
 }