diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 057ad3a5..3f21b121 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -83,6 +83,10 @@ The following variables as mandatory
 
 Set the value for the following variables - `MONGO_URI`, `MONGO_DBNAME`, `REDIS_HOST`, `REDIS_PORT`
 
+3. Configure `widget/nginx-variables.conf`.
+
+`set $FRAME_ANCESTORS "http:"`, to allow unencrypted iframing of the widget in your development environment.
+
 ## Installing dependencies and running app
 
 From the root folder run the following commands
diff --git a/README.md b/README.md
index d55631fd..6310682f 100644
--- a/README.md
+++ b/README.md
@@ -109,6 +109,10 @@ docker-compose down
 sudo docker-compose up --build --force-recreate
 ```
 
+3. Configure `widget/nginx-variables.conf`.
+
+`set $FRAME_ANCESTORS "https://your.domain"`, to allow iframing of the widget on `your.domain`.
+
 ### 🛃 Manual
 
 WebWhiz is designed to be used as a production grade Chatbot that can be scaled up or down to handle any volume of data.
@@ -153,6 +157,10 @@ The following variables as mandatory
 
 Set the value for the following variables - `MONGO_URI`, `MONGO_DBNAME`, `REDIS_HOST`, `REDIS_PORT`
 
+3. Configure `widget/nginx-variables.conf`.
+
+`set $FRAME_ANCESTORS "https://your.domain"`, to allow iframing of the widget on `your.domain`.
+
 #### Installing dependencies and running app
 
 From the root folder run the following commands
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index db5cb9be..fc31a944 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -5,6 +5,8 @@ upstream web {
 server {
   listen 80;
 
+  add_header Content-Security-Policy "frame-ancestors 'none'" always;
+
   location ~ ^/api(/?)(.*) {
     proxy_pass http://web/$2$is_args$args;
   }
diff --git a/widget/Dockerfile b/widget/Dockerfile
index 0ef17ca0..ac6a7f87 100644
--- a/widget/Dockerfile
+++ b/widget/Dockerfile
@@ -26,6 +26,7 @@ COPY --from=builder_widget /app/dist /usr/share/nginx/html
 
 # Copying our nginx.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY nginx-variables.conf /etc/nginx/nginx-variables.conf
 
 # Expose port
 EXPOSE 80
diff --git a/widget/nginx-variables.conf b/widget/nginx-variables.conf
new file mode 100644
index 00000000..1a283b2a
--- /dev/null
+++ b/widget/nginx-variables.conf
@@ -0,0 +1 @@
+set $FRAME_ANCESTORS "'none'"; # Space delimited urls allowed to iframe the widget. If set to https: (without single quotes) all https sites are allowed
diff --git a/widget/nginx.conf b/widget/nginx.conf
index d64c1a52..e4d04fb0 100644
--- a/widget/nginx.conf
+++ b/widget/nginx.conf
@@ -1,6 +1,11 @@
 server {
+  include /etc/nginx/nginx-variables.conf;
+
   listen 80;
 
+  set $FRAME_ANCESTORS "frame-ancestors ${FRAME_ANCESTORS}";
+  add_header Content-Security-Policy "${FRAME_ANCESTORS}" always;
+
   location / {
     root /usr/share/nginx/html/;
     include /etc/nginx/mime.types;