From 4a18ab6d1b9ac26ee3908086f052265fc34475aa Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Tue, 14 Mar 2023 11:27:05 +0000
Subject: [PATCH] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 35d693f9b0..c59ce0db78 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ your web server configuration when hosting Element Web:
 
 -   The `X-Frame-Options: SAMEORIGIN` header, to prevent Element Web from being
     framed and protect from [clickjacking][owasp-clickjacking].
--   The `frame-ancestors 'none'` directive to your `Content-Security-Policy`
+-   The `frame-ancestors 'self'` directive to your `Content-Security-Policy`
     header, as the modern replacement for `X-Frame-Options` (though both should be
     included since not all browsers support it yet, see
     [this][owasp-clickjacking-csp]).
@@ -113,7 +113,7 @@ For Apache, the configuration looks like:
 Header set X-Frame-Options SAMEORIGIN
 Header set X-Content-Type-Options nosniff
 Header set X-XSS-Protection "1; mode=block"
-Header set Content-Security-Policy "frame-ancestors 'none'"
+Header set Content-Security-Policy "frame-ancestors 'self'"
 ```
 
 Note: In case you are already setting a `Content-Security-Policy` header