diff --git a/cmd/packserver/main.go b/cmd/packserver/main.go
index d71624d..c18b90b 100644
--- a/cmd/packserver/main.go
+++ b/cmd/packserver/main.go
@@ -51,6 +51,8 @@ func main() {
 		"Tell client how long it can cache data for; 0 means no caching")
 	rootCmd.Flags().String("fallback-404", "",
 		"Name of file to return if response would be 404 (spa.html or similar)")
+	rootCmd.Flags().String("frames", "sameorigin",
+		"Override X-Frame-Options header (can be sameorigin, deny, allow)")
 
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)
@@ -82,6 +84,23 @@ func run(c *cobra.Command, args []string) error {
 		certFile = keyFile
 	}
 
+	// parse frames header
+	framesHeader := "SAMEORIGIN"
+	frames, err := c.Flags().GetString("frames")
+	if err != nil {
+		return err
+	}
+	switch frames {
+	case "sameorigin":
+		framesHeader = "SAMEORIGIN"
+	case "allow":
+		framesHeader = ""
+	case "deny":
+		framesHeader = "DENY"
+	default:
+		return errors.New("--frames must be one of sameorigin, deny, allow")
+	}
+
 	// parse extra headers
 	extraHeaders := make(http.Header)
 	hdrs, err := c.Flags().GetStringSlice("header")
@@ -169,6 +188,7 @@ func run(c *cobra.Command, args []string) error {
 			return fmt.Errorf("%s: fallback-404 resource %q "+
 				"not found in packfile", prefix, fallback404File)
 		}
+		packHandler.SetHeader("X-Frame-Options", framesHeader)
 
 		handler := &addHeaders{
 			extraHeaders: extraHeaders,