diff --git a/lms/djangoapps/branding/tests/test_page.py b/lms/djangoapps/branding/tests/test_page.py
index b3ea5a604a..cdd47524dc 100644
--- a/lms/djangoapps/branding/tests/test_page.py
+++ b/lms/djangoapps/branding/tests/test_page.py
@@ -72,22 +72,22 @@ class AnonymousIndexPageTest(ModuleStoreTestCase):
         response = self.client.get('/')
         self.assertEqual(response.status_code, 200)
 
+    @override_settings(X_FRAME_OPTIONS='ALLOW')
     def test_allow_x_frame_options(self):
         """
         Check the x-frame-option response header
         """
 
-        # check to see that the default setting is to ALLOW iframing
+        # check to see that the override value is honored
         resp = self.client.get('/')
         self.assertEquals(resp['X-Frame-Options'], 'ALLOW')
 
-    @override_settings(X_FRAME_OPTIONS='DENY')
     def test_deny_x_frame_options(self):
         """
         Check the x-frame-option response header
         """
 
-        # check to see that the override value is honored
+        # check to see that the default setting is to DENY iframing
         resp = self.client.get('/')
         self.assertEquals(resp['X-Frame-Options'], 'DENY')
 
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 4737c366df..a1ee353e8d 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1302,8 +1302,8 @@ MIDDLEWARE_CLASSES = [
     'openedx.core.djangoapps.site_configuration.middleware.SessionCookieDomainOverrideMiddleware',
 ]
 
-# Clickjacking protection can be enabled by setting this to 'DENY'
-X_FRAME_OPTIONS = 'ALLOW'
+# Clickjacking protection can be disbaled by setting this to 'ALLOW'
+X_FRAME_OPTIONS = 'DENY'
 
 # Platform for Privacy Preferences header
 P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'