diff --git a/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java b/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java
index 9ba0227..254c58a 100644
--- a/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java
+++ b/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java
@@ -59,7 +59,11 @@ public class SecuredKeyCloakConfiguration {
 
         http.anonymous().disable();
         http.httpBasic().disable();
-        http.csrf().disable();
+        http.csrf(csrf -> csrf.ignoringRequestMatchers("/gs-guide-websocket/**"));
+        http.headers(headers -> headers
+                // allow same origin to frame our site to support iframe SockJS
+                .frameOptions(frameOptions -> frameOptions
+                                .sameOrigin()));
 
         http.oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(tenantAuthenticationManagerResolver));
         http.authorizeHttpRequests().anyRequest().authenticated();