diff --git a/web/index.js b/web/index.js
index 487c09d80..46362ccdc 100644
--- a/web/index.js
+++ b/web/index.js
@@ -6,6 +6,7 @@ const logger = require('koa-logger');
 const router = require('./src/routes');
 const redirectMiddleware = require('./middleware/redirect');
 const cacheControlMiddleware = require('./middleware/cache-control');
+const iframeDestroyerMiddleware = require('./middleware/iframe-destroyer');
 
 const app = new Koa();
 const DIST_ROOT = path.resolve(__dirname, 'dist');
@@ -25,6 +26,7 @@ app.use(async (ctx, next) => {
 app.use(logger());
 app.use(cacheControlMiddleware);
 app.use(redirectMiddleware);
+app.use(iframeDestroyerMiddleware);
 app.use(serve(DIST_ROOT)); // Check if the request url matches any assets inside of /dist
 
 app.use(router.routes());
diff --git a/web/middleware/iframe-destroyer.js b/web/middleware/iframe-destroyer.js
new file mode 100644
index 000000000..1737480f3
--- /dev/null
+++ b/web/middleware/iframe-destroyer.js
@@ -0,0 +1,15 @@
+const PAGES = require('../../ui/constants/pages');
+
+async function iframeDestroyerMiddleware(ctx, next) {
+  const {
+    request: { path },
+  } = ctx;
+
+  if (!path.startsWith(`/$/${PAGES.EMBED}`)) {
+    ctx.set('X-Frame-Options', 'DENY');
+  }
+
+  return next();
+}
+
+module.exports = iframeDestroyerMiddleware;