diff --git a/backend/server.js b/backend/server.js
index bd459bf..b2a23d5 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -96,7 +96,7 @@ app.use((req, res, next) => {
 // Security headers
 app.use((req, res, next) => {
     res.setHeader('X-Content-Type-Options', 'nosniff');
-    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('X-Frame-Options', 'SAMEORIGIN');  // Allow iframes from same origin
     res.setHeader('X-XSS-Protection', '1; mode=block');
     res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
     res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');