diff --git a/config/default-disco.js b/config/default-disco.js
index 120a770d8a2..4a8a6189d21 100644
--- a/config/default-disco.js
+++ b/config/default-disco.js
@@ -4,4 +4,10 @@ module.exports = {
       frameAncestors: ['about:addons'],
     },
   },
+
+  // x-frame-options must match frame-ancestors CSP directive.
+  frameGuard: {
+    action: 'allow-from',
+    domain: 'about:addons',
+  },
 };
diff --git a/config/default.js b/config/default.js
index b57be234829..326c54b482b 100644
--- a/config/default.js
+++ b/config/default.js
@@ -108,6 +108,10 @@ module.exports = {
     disableAndroid: false,
   },
 
+  frameGuard: {
+    action: 'deny',
+  },
+
   supportedLocales: [
     'af', 'ar', 'bg', 'bn-BD', 'ca', 'cs', 'da', 'de', 'dbg', 'dbg-rtl', 'el',
     'en-GB', 'en-US', 'es', 'eu', 'fa', 'fi', 'fr', 'ga-IE', 'he', 'hu', 'id',
diff --git a/src/core/server/base.js b/src/core/server/base.js
index 3bb57dd4b2b..7e76e339803 100644
--- a/src/core/server/base.js
+++ b/src/core/server/base.js
@@ -45,7 +45,7 @@ function baseServer(routes, createStore, { appInstanceName = appName } = {}) {
   app.use(logRequests);
 
   // Sets X-Frame-Options
-  app.use(helmet.frameguard('deny'));
+  app.use(helmet.frameguard(config.get('frameGuard')));
 
   // Sets x-content-type-options:"nosniff"
   app.use(helmet.noSniff());
diff --git a/tests/server/TestFrameGuardConfig.js b/tests/server/TestFrameGuardConfig.js
new file mode 100644
index 00000000000..c454c2489e3
--- /dev/null
+++ b/tests/server/TestFrameGuardConfig.js
@@ -0,0 +1,24 @@
+import { assert } from 'chai';
+import requireUncached from 'require-uncached';
+
+describe('App Specific Frameguard Config', () => {
+  afterEach(() => {
+    process.env.NODE_ENV = 'production';
+    delete process.env.NODE_APP_INSTANCE;
+  });
+
+  it('should default frameGuard to "deny"', () => {
+    const config = requireUncached('config');
+    const frameGuardConfig = config.get('frameGuard');
+    assert.equal(frameGuardConfig.action, 'deny');
+    assert.equal(frameGuardConfig.domain, undefined);
+  });
+
+  it('should default set frameGuard to allow about:addons for disco pane', () => {
+    process.env.NODE_APP_INSTANCE = 'disco';
+    const config = requireUncached('config');
+    const frameGuardConfig = config.get('frameGuard');
+    assert.equal(frameGuardConfig.action, 'allow-from');
+    assert.equal(frameGuardConfig.domain, 'about:addons');
+  });
+});