diff --git a/typo3/init.php b/typo3/init.php
index a9d74b5c7e2b6fcfbd03a9b4ac272d81cdacb282..bce02b5ccd9759bb4bba18f73ddc6a2066b9054b 100644
--- a/typo3/init.php
+++ b/typo3/init.php
@@ -74,4 +74,5 @@ require __DIR__ . '/sysext/core/Classes/Core/Bootstrap.php';
 	->initializeLanguageObject()
 	->initializeBackendTemplate()
 	->endOutputBufferingAndCleanPreviousOutput()
-	->initializeOutputCompression();
+	->initializeOutputCompression()
+	->sendHttpHeaders();
diff --git a/typo3/sysext/core/Classes/Core/Bootstrap.php b/typo3/sysext/core/Classes/Core/Bootstrap.php
index 0b22dd3b1aab8067f8c7419dcb8e10bb121ed24d..184507377102e9139a7222d5c98be5fd94d2109e 100644
--- a/typo3/sysext/core/Classes/Core/Bootstrap.php
+++ b/typo3/sysext/core/Classes/Core/Bootstrap.php
@@ -1064,6 +1064,21 @@ class Bootstrap {
 		return $this;
 	}
 
+	/**
+	 * Send HTTP headers if configured
+	 *
+	 * @return Bootstrap
+	 * @internal This is not a public API method, do not use in own extensions
+	 */
+	public function sendHttpHeaders() {
+		if (!empty($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers']) && is_array($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'])) {
+			foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] as $header) {
+				header($header);
+			}
+		}
+		return $this;
+	}
+
 	/**
 	 * Things that should be performed to shut down the framework.
 	 * This method is called in all important scripts for a clean
diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index f02868e06eb291cd895b40987202a0384f0978d8..05bc41f32776378bcb99208a29154c067225fbef 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -713,6 +713,11 @@ return array(
 				'csrfTokenCheck' => TRUE
 			),
 		),
+		'HTTP' => array(
+			'Response' => array(
+				'Headers' => array('clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN')
+			)
+		),
 		'XCLASS' => array()
 	),
 	'FE' => array( // Configuration for the TypoScript frontend (FE). Nothing here relates to the administration backend!