diff --git a/browserid/app.js b/browserid/app.js
index 0d1c9e4998824ca997d8e08b20d5602f840fcde3..c685e4915292b37d4f94e7d662ea80243517dda5 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -122,6 +122,12 @@ exports.setup = function(server) {
     next();
   });
 
+  // prevent framing
+  server.use(function(req, resp, next) {
+      resp.setHeader('x-frame-options', 'DENY');
+      next();
+    });
+
   // add the actual URL handlers other than static
   router(server);
 }