diff --git a/client/pages/filespage/thing.scss b/client/pages/filespage/thing.scss
index dfd26013..ee637df3 100644
--- a/client/pages/filespage/thing.scss
+++ b/client/pages/filespage/thing.scss
@@ -110,7 +110,7 @@
     // GRID VIEW
     > .component_thing.view-grid{
         width: 25%; .box{ height: 160px;}
-        @media (max-width: 800px){width: 33.33%; .box{height: 200px} }
+        @media (max-width: 769px){width: 33.33%; .box{height: 200px} }
         @media (max-width: 670px){.box{height: 170px}}
         @media (max-width: 550px){width: 50%; .box{height: 200px} }
         @media (max-width: 480px){.box{height: 170px}}
diff --git a/server/middleware/http.go b/server/middleware/http.go
index ef6ac789..af498087 100644
--- a/server/middleware/http.go
+++ b/server/middleware/http.go
@@ -46,7 +46,23 @@ func IndexHeaders(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App
 		header.Set("X-XSS-Protection", "1; mode=block")
 		header.Set("X-Frame-Options", "DENY")
 		header.Set("X-Powered-By", fmt.Sprintf("Filestash/%s.%s <https://filestash.app>", APP_VERSION, BUILD_DATE))
-		header.Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; font-src 'self' data:; manifest-src 'self'; script-src 'self' 'sha256-JNAde5CZQqXtYRLUk8CGgyJXo6C7Zs1lXPPClLM1YM4=' 'sha256-9/gQeQaAmVkFStl6tfCbHXn8mr6PgtxlH+hEp685lzY='; img-src 'self' data:; connect-src 'self'; object-src 'self'; media-src 'self'; worker-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self'")
+
+		cspHeader := "default-src 'none'; style-src 'unsafe-inline'; font-src 'self' data:; manifest-src 'self'; script-src 'self' 'sha256-JNAde5CZQqXtYRLUk8CGgyJXo6C7Zs1lXPPClLM1YM4=' 'sha256-9/gQeQaAmVkFStl6tfCbHXn8mr6PgtxlH+hEp685lzY='; img-src 'self' data:; connect-src 'self'; object-src 'self'; media-src 'self'; worker-src 'self'; form-action 'self'; base-uri 'self';"
+		if allowedDomainsForIframe := Config.Get("features.protection.iframe").Schema(func(f *FormElement) *FormElement{
+			if f == nil {
+				f = &FormElement{}
+			}
+			f.Default = ""
+			f.Name = "iframe"
+			f.Type = "text"
+			f.Target = []string{}
+			f.Description = "The frame-ancestors's value as part of the Content Security Policy header. Use with caution, this setting can make you vulnerable to clicjacking security issues."
+			f.Placeholder = "Default: disabled"
+			return f
+		}).String(); allowedDomainsForIframe != "" {
+			cspHeader += "frame-ancestors " + allowedDomainsForIframe
+		}
+		header.Set("Content-Security-Policy", cspHeader)
 		fn(ctx, res, req)
 	}
 }