diff --git a/app/web.php b/app/web.php
index 06cf4fed..7805b0e4 100644
--- a/app/web.php
+++ b/app/web.php
@@ -148,6 +148,7 @@
 try {
     if (!isset($hook_before)) {
         $hook_before = function ($handler) {
+            header("Content-Security-Policy: frame-ancestors 'none'");
             $failed_access_requests = Requestlog::getCounts(['login', 'signup'], 'fail');
             if (is_max_invalid_request($failed_access_requests['day'])) {
                 G\set_status_header(403);