diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index c6f29abd6c..c483b3e200 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -32,6 +32,22 @@ pub struct RecoveryCodes {
     codes: Option<Vec<String>>,
 }
 
+#[sqlx::test]
+async fn dg25_19_clickjacking_vulnerability(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let client = make_client(pool).await;
+
+    let response = client.get("/").send().await;
+    let headers = response.headers();
+    let csp_header = headers.get("content-security-policy").unwrap();
+    let csp_value = csp_header.to_str().unwrap();
+    assert!(
+        csp_value.contains("frame-ancestors 'none'"),
+        "CSP header should block all iframes with 'none' directive"
+    );
+}
+
 #[sqlx::test]
 async fn test_logout(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;