diff --git a/doc/INSTALL.md b/doc/INSTALL.md
index b7e1605..3b06e41 100644
--- a/doc/INSTALL.md
+++ b/doc/INSTALL.md
@@ -143,3 +143,23 @@ Password: changeme
 ```
 
 Immediately after logging in with this default user you will be asked to modify your details and change your password.
+
+
+### Advanced Options
+
+#### X-FRAME-OPTIONS Header
+
+You can configure the [`X-FRAME-OPTIONS`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) header
+value by specifying it as a Docker environment variable. The default if not specified is `deny`.
+
+```yml
+  ...
+  environment:
+    X_FRAME_OPTIONS: "sameorigin"
+  ...
+```
+
+```
+... -e "X_FRAME_OPTIONS=sameorigin" ...
+```
+
diff --git a/src/backend/app.js b/src/backend/app.js
index e433013..5980275 100644
--- a/src/backend/app.js
+++ b/src/backend/app.js
@@ -40,11 +40,17 @@ app.use(require('./lib/express/cors'));
 
 // General security/cache related headers + server header
 app.use(function (req, res, next) {
+    let x_frame_options = 'DENY';
+
+    if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
+        x_frame_options = process.env.X_FRAME_OPTIONS;
+    }
+
     res.set({
         'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
         'X-XSS-Protection':          '0',
         'X-Content-Type-Options':    'nosniff',
-        'X-Frame-Options':           'DENY',
+        'X-Frame-Options':           x_frame_options,
         'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
         Pragma:                      'no-cache',
         Expires:                     0
diff --git a/src/backend/index.js b/src/backend/index.js
index cd0a781..d97450e 100644
--- a/src/backend/index.js
+++ b/src/backend/index.js
@@ -1,7 +1,5 @@
 #!/usr/bin/env node
 
-'use strict';
-
 const logger = require('./logger').global;
 
 function appStart () {