diff --git a/README.md b/README.md
index 9debc6122c9ddf36829d508bb4cdcbc323c27b37..95e5a1a209b5f97ed1b73a4b283a50c6e8de02f7 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Variables defined in defaults/main.yaml:
 * default_sshd_port: Port on which SSH daemon listens (defaults to 10022)
 * host_user : user used to connect to the server
 * srv_proxy_pass: Password to access proxy protected pages (AUTH defaults to SuperSecureProxyP4$$)
+* allow_iframe: whether iframes are allowed
 
 This role makes use of a few variables which are set in case the target server is part of other groups (but still initialized to false in defaults/main.yml), namely :
 * docker_auth
diff --git a/defaults/main.yml b/defaults/main.yml
index bbd8b3e802e0a1489ab38ee540ca740972c1105d..fdbd8bd703a27e8f73b27d53ea8d483c7dd03214 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -20,3 +20,6 @@ metabase: false
 ## Auth
 ldap_url: "ldap.example.org"
 sso_url: "sso.example.org"
+
+## iframe
+allow_iframe: false
diff --git a/templates/traefik.toml.j2 b/templates/traefik.toml.j2
index e8fddd247a6c1b1d17d7c2ec1f7e76e183c67f5a..5e704aa88b4bcaf1debb014f9b468eddef6dc34c 100644
--- a/templates/traefik.toml.j2
+++ b/templates/traefik.toml.j2
@@ -51,7 +51,7 @@
       contentTypeNosniff = true
       referrerPolicy = "same-origin"
       forceSTSHeader = true
-{% if not cloud_onlyoffice %}
+{% if not cloud_onlyoffice and not allow_iframe %}
       frameDeny = true
       customFrameOptionsValue = "SAMEORIGIN"
 {% endif %}