diff --git a/app/constants.php b/app/constants.php
index c711576..f3c7347 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -36,6 +36,7 @@ defined('SUBSCRIPTION_CONCURRENT_REQUESTS') or define('SUBSCRIPTION_CONCURRENT_R
 
 defined('RULES_DIRECTORY') or define('RULES_DIRECTORY', ROOT_DIRECTORY.DIRECTORY_SEPARATOR.'rules');
 
+defined('ENABLE_XFRAME') or define('ENABLE_XFRAME', true);
 defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);
 defined('ENABLE_CRONJOB_HTTP_ACCESS') or define('ENABLE_CRONJOB_HTTP_ACCESS', true);
 
diff --git a/app/controllers/common.php b/app/controllers/common.php
index 02a3d40..3bf7469 100644
--- a/app/controllers/common.php
+++ b/app/controllers/common.php
@@ -40,10 +40,13 @@ Router\before(function ($action) {
         'referrer' => 'no-referrer',
     ));
 
-    Response\xframe();
     Response\xss();
     Response\nosniff();
 
+    if (ENABLE_XFRAME) {
+        Response\xframe();
+    }
+
     if (ENABLE_HSTS && Helper\is_secure_connection()) {
         Response\hsts();
     }
diff --git a/config.default.php b/config.default.php
index 7234341..2f98edc 100644
--- a/config.default.php
+++ b/config.default.php
@@ -57,3 +57,9 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);
 
 // Allow the cronjob to be accessible from the browser
 define('ENABLE_CRONJOB_HTTP_ACCESS', true);
+
+// Enable/disable HTTP header X-Frame-Options
+define('ENABLE_XFRAME', true);
+
+// Enable/disable HSTS HTTP header
+define('ENABLE_HSTS', true);
diff --git a/docs/config.markdown b/docs/config.markdown
index 9b0748c..53c15b2 100644
--- a/docs/config.markdown
+++ b/docs/config.markdown
@@ -106,4 +106,10 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);
 
 // Allow the cronjob to be accessible from the browser
 define('ENABLE_CRONJOB_HTTP_ACCESS', true);
+
+// Enable/disable HTTP header X-Frame-Options
+define('ENABLE_XFRAME', true);
+
+// Enable/disable HSTS HTTP header
+define('ENABLE_HSTS', true);
 ```
\ No newline at end of file