diff --git a/README.md b/README.md
index 35d693f9b0..c59ce0db78 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ your web server configuration when hosting Element Web:
 
 -   The `X-Frame-Options: SAMEORIGIN` header, to prevent Element Web from being
     framed and protect from [clickjacking][owasp-clickjacking].
--   The `frame-ancestors 'none'` directive to your `Content-Security-Policy`
+-   The `frame-ancestors 'self'` directive to your `Content-Security-Policy`
     header, as the modern replacement for `X-Frame-Options` (though both should be
     included since not all browsers support it yet, see
     [this][owasp-clickjacking-csp]).
@@ -113,7 +113,7 @@ For Apache, the configuration looks like:
 Header set X-Frame-Options SAMEORIGIN
 Header set X-Content-Type-Options nosniff
 Header set X-XSS-Protection "1; mode=block"
-Header set Content-Security-Policy "frame-ancestors 'none'"
+Header set Content-Security-Policy "frame-ancestors 'self'"
 ```
 
 Note: In case you are already setting a `Content-Security-Policy` header