diff --git a/docs/en_US/release_notes_4_3.rst b/docs/en_US/release_notes_4_3.rst
index a26cf8905..542a4d2b2 100644
--- a/docs/en_US/release_notes_4_3.rst
+++ b/docs/en_US/release_notes_4_3.rst
@@ -10,6 +10,7 @@ Features
 ********
 
 | `Feature #1825 <https://redmine.postgresql.org/issues/1825>`_ - Install a script to start pgAdmin (pgadmin4) from the command line when installed from the Python wheel.
+| `Feature #3439 <https://redmine.postgresql.org/issues/3439>`_ - Allow X-FRAME-OPTIONS to be set for security. Default to SAMEORIGIN.
 
 Bug fixes
 *********
diff --git a/web/config.py b/web/config.py
index 2aa4ea84f..e1c287c82 100644
--- a/web/config.py
+++ b/web/config.py
@@ -144,6 +144,12 @@ DEFAULT_SERVER_PORT = 5050
 # Enable CSRF protection?
 CSRF_ENABLED = True
 
+# Enable X-Frame-Option protection.
+# Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable.
+# Note that "DENY" is NOT supported (and will be silently ignored).
+# See https://tools.ietf.org/html/rfc7034 for more info.
+X_FRAME_OPTIONS = "SAMEORIGIN"
+
 # Hashing algorithm used for password storage
 SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
 
diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py
index bfe7e041d..b821aab7b 100644
--- a/web/pgadmin/__init__.py
+++ b/web/pgadmin/__init__.py
@@ -630,6 +630,11 @@ def create_app(app_name=None):
                                 path=config.COOKIE_DEFAULT_PATH,
                                 **domain)
 
+        # X-Frame-Options for security
+        if config.X_FRAME_OPTIONS != "" and \
+                config.X_FRAME_OPTIONS.lower() != "deny":
+            response.headers["X-Frame-Options"] = config.X_FRAME_OPTIONS
+
         return response
 
     ##########################################################################