diff --git a/CHANGES.md b/CHANGES.md
index 8234c4b3a3..bfa30aa703 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -63,6 +63,7 @@
 - Access to Health API now requires authentication with an API Key with access to `health.read` scope allowed
 - Added option to force HTTPS connection to the Appwrite server (_APP_OPTIONS_FORCE_HTTPS)
 - Now using your `_APP_SYSTEM_EMAIL_ADDRESS` as the email address for issuing and renewing SSL certificates
+- Block iframe access to Appwrite console using the `X-Frame-Options` header.
 
 # Version 0.6.2 (PRE-RELEASE)
 
diff --git a/app/controllers/shared/web.php b/app/controllers/shared/web.php
index cef1ebc04c..42d2a18c55 100644
--- a/app/controllers/shared/web.php
+++ b/app/controllers/shared/web.php
@@ -36,7 +36,9 @@ App::init(function ($utopia, $request, $response, $layout) {
     $response
         ->addHeader('Cache-Control', 'public, max-age='.$time)
         ->addHeader('Expires', \date('D, d M Y H:i:s', \time() + $time).' GMT') // 45 days cache
-        ->addHeader('X-UA-Compatible', 'IE=Edge'); // Deny IE browsers from going into quirks mode
+        ->addHeader('X-Frame-Options', 'SAMEORIGIN') // Avoid console and homepage from showing in iframes
+        ->addHeader('X-UA-Compatible', 'IE=Edge') // Deny IE browsers from going into quirks mode
+    ;
 
     $route = $utopia->match($request);
     $scope = $route->getLabel('scope', '');