diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/app b/puppet/zulip/files/nginx/zulip-include-frontend/app
index 655ee04e0b..e0cb156b64 100644
--- a/puppet/zulip/files/nginx/zulip-include-frontend/app
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/app
@@ -4,6 +4,9 @@ error_log /var/log/nginx/error.log;
 # Enable HSTS: tell browsers to always use HTTPS
 add_header Strict-Transport-Security max-age=15768000;
 
+# Set X-Frame-Options to deny to prevent clickjacking
+add_header X-Frame-Options DENY;
+
 # Serve a custom error page when the app is down
 error_page 502 503 504 /static/html/5xx.html;