diff --git a/administrator/components/com_login/views/login/tmpl/default.php b/administrator/components/com_login/views/login/tmpl/default.php
index 86546ccadd8ed..216a0c0b932e2 100644
--- a/administrator/components/com_login/views/login/tmpl/default.php
+++ b/administrator/components/com_login/views/login/tmpl/default.php
@@ -9,8 +9,6 @@
 
 defined('_JEXEC') or die;
 
-JHtml::_('behavior.noframes');
-
 /**
  * Get the login modules
  * If you want to use a completely different login module change the value of name
diff --git a/administrator/components/com_login/views/login/view.html.php b/administrator/components/com_login/views/login/view.html.php
index 35a5bb3f01f0c..4ec83d4ec7e40 100644
--- a/administrator/components/com_login/views/login/view.html.php
+++ b/administrator/components/com_login/views/login/view.html.php
@@ -16,4 +16,26 @@
  */
 class LoginViewLogin extends JViewLegacy
 {
+  	/**
+	 * Display the view.
+	 *
+	 * @param   string  $tpl  The name of the template file to parse.
+	 *
+	 * @return  void
+	 *
+	 * @since  __DEPLOY_VERSION__
+	 */
+	public function display($tpl = null)
+	{
+		/**
+		 * To prevent clickjacking, only allow the login form to be used inside a frame in the same origin.
+		 * So send a X-Frame-Options HTTP Header with the SAMEORIGIN value.
+		 * 
+		 * @see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
+		 *      https://tools.ietf.org/html/rfc7034
+		 */
+		JFactory::getApplication()->setHeader('X-Frame-Options', 'SAMEORIGIN');
+
+		return parent::display($tpl);
+	}
 }
diff --git a/administrator/templates/hathor/login.php b/administrator/templates/hathor/login.php
index c086d4d6a1824..9fd2d49529372 100644
--- a/administrator/templates/hathor/login.php
+++ b/administrator/templates/hathor/login.php
@@ -20,8 +20,6 @@
 // jQuery needed by template.js
 JHtml::_('jquery.framework');
 
-JHtml::_('behavior.noframes');
-
 // Load optional RTL Bootstrap CSS
 JHtml::_('bootstrap.loadCss', false, $this->direction);
 
diff --git a/libraries/cms/html/behavior.php b/libraries/cms/html/behavior.php
index 803e641f02bd6..023c197805f72 100644
--- a/libraries/cms/html/behavior.php
+++ b/libraries/cms/html/behavior.php
@@ -791,9 +791,13 @@ className: '" . $className . "',
 	 * @return  void
 	 *
 	 * @since   1.5
+	 *
+	 * @deprecated  4.0  Add a X-Frame-Options HTTP Header with the SAMEORIGIN value instead.
 	 */
 	public static function noframes()
 	{
+		JLog::add(__METHOD__ . ' is deprecated, add a X-Frame-Options HTTP Header with the SAMEORIGIN value instead.', JLog::WARNING, 'deprecated');
+
 		// Only load once
 		if (isset(static::$loaded[__METHOD__]))
 		{