diff --git a/src/aphront/response/webpage/AphrontWebpageResponse.php b/src/aphront/response/webpage/AphrontWebpageResponse.php
index 94e976a64c..c30ebdcad3 100644
--- a/src/aphront/response/webpage/AphrontWebpageResponse.php
+++ b/src/aphront/response/webpage/AphrontWebpageResponse.php
@@ -34,7 +34,8 @@ class AphrontWebpageResponse extends AphrontResponse {
 
   public function getHeaders() {
     return array(
-      array('Content-Type', 'text/html; charset=UTF-8'),
+      array('Content-Type',    'text/html; charset=UTF-8'),
+      array('X-Frame-Options', 'Deny'),
     );
   }
 
diff --git a/src/view/page/standard/PhabricatorStandardPageView.php b/src/view/page/standard/PhabricatorStandardPageView.php
index b6320fd7f9..660e09cc9b 100755
--- a/src/view/page/standard/PhabricatorStandardPageView.php
+++ b/src/view/page/standard/PhabricatorStandardPageView.php
@@ -98,8 +98,11 @@ class PhabricatorStandardPageView extends AphrontPageView {
   protected function getHead() {
     $response = CelerityAPI::getStaticResourceResponse();
     return
+      '<script type="text/javascript">'.
+        '(top != self) && top.location.replace(self.location.href);'.
+        'window.__DEV__=1;'.
+      '</script>'.
       $response->renderResourcesOfType('css').
-      '<script type="text/javascript">window.__DEV__=1;</script>'.
       '<script type="text/javascript" src="/rsrc/js/javelin/init.dev.js">'.
       '</script>';
   }