diff --git a/core/http_api.php b/core/http_api.php
index 9731712c54..6ce456a748 100644
--- a/core/http_api.php
+++ b/core/http_api.php
@@ -117,6 +117,15 @@ function http_content_headers() {
 	}
 }
 
+/**
+ * Set security headers (frame busting, clickjacking/XSS/CSRF protection).
+ */
+function http_security_headers() {
+	if ( !headers_sent() ) {
+		header( 'X-Frame-Options: DENY' );
+	}
+}
+
 /**
  * Load and set any custom headers defined by the site configuration.
  */
@@ -138,6 +147,7 @@ function http_all_headers() {
 	if ( !$g_bypass_headers && !headers_sent() ) {
 		http_content_headers();
 		http_caching_headers();
+		http_security_headers();
 		http_custom_headers();
 	}
 }