diff --git a/Gemfile b/Gemfile
index 436f67c67..912c67abd 100644
--- a/Gemfile
+++ b/Gemfile
@@ -12,6 +12,10 @@ gem 'rails_autolink', '1.0.9'
 
 gem 'rack-cors', '0.2.7', :require => 'rack/cors'
 
+# click-jacking protection
+
+gem 'rack-protection', '1.2'
+
 # authentication
 
 gem 'devise', '2.1.2'
diff --git a/config.ru b/config.ru
index bd250d89b..9603dbba3 100644
--- a/config.ru
+++ b/config.ru
@@ -14,4 +14,6 @@ if defined?(Unicorn)
 end
 use Rack::Deflater
 use Rack::ChromeFrame, :minimum => 8
+use Rack::Protection::FrameOptions
+
 run Diaspora::Application