diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py
index 860d390d..b5354145 100644
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -71,6 +71,17 @@ class BaseHandler(RequestHandler):
         self.db.rollback()
         super(BaseHandler, self).finish(*args, **kwargs)
 
+    def set_default_headers(self):
+        """
+        Set any headers passed as tornado_settings['headers'].
+
+        By default sets Content-Security-Policy of frame-ancestors 'self'.
+        """
+        headers = self.settings.get('headers', {})
+        headers.setdefault('Content-Security-Policy', "frame-ancestors 'self'")
+        for header_name, header_content in headers.items():
+            self.set_header(header_name, header_content)
+
     #---------------------------------------------------------------
     # Login and cookie-related
     #---------------------------------------------------------------
diff --git a/jupyterhub/tests/test_api.py b/jupyterhub/tests/test_api.py
index 1eb21830..97cb42e7 100644
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -60,11 +60,13 @@ def api_request(app, *api_path, **kwargs):
 
     if 'Authorization' not in headers:
         headers.update(auth_header(app.db, 'admin'))
-    
+
     url = ujoin(base_url, 'api', *api_path)
     method = kwargs.pop('method', 'get')
     f = getattr(requests, method)
-    return f(url, **kwargs)
+    resp = f(url, **kwargs)
+    assert resp.headers['Content-Security-Policy'] == "frame-ancestors 'self'"
+    return resp
 
 def test_auth_api(app):
     db = app.db