diff --git a/src/PowderCoating.Web/Program.cs b/src/PowderCoating.Web/Program.cs
index 1d38d5e..15e8dcc 100644
--- a/src/PowderCoating.Web/Program.cs
+++ b/src/PowderCoating.Web/Program.cs
@@ -671,8 +671,8 @@ System.Globalization.CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;
 // SECURITY: Add security headers middleware
 app.Use(async (context, next) =>
 {
-    // Prevent clickjacking
-    context.Response.Headers.Append("X-Frame-Options", "DENY");
+    // Prevent clickjacking — SAMEORIGIN so our own iframe embeds (QR labels, etc.) still work
+    context.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
 
     // Prevent MIME type sniffing
     context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
@@ -699,7 +699,8 @@ app.Use(async (context, next) =>
         "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
         "img-src 'self' data: https:; " +
         $"connect-src {cspConnectSrc}; " +
-        "frame-src 'self' https://js.stripe.com https://hooks.stripe.com");
+        "frame-src 'self' https://js.stripe.com https://hooks.stripe.com; " +
+        "frame-ancestors 'self'");
 
     // Referrer Policy - control referrer information
     context.Response.Headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");