diff --git a/js/seckit.document_write.js b/js/seckit.document_write.js
deleted file mode 100644
index 38e3c8a16a207956cffc3433e8b85e54e58c8495..0000000000000000000000000000000000000000
--- a/js/seckit.document_write.js
+++ /dev/null
@@ -1,7 +0,0 @@
-/**
- * If site is not being framed or being framed within the same host,
- * start commenting out seckit.no_body.css.
- */
-if (top === self || top.location.hostname === self.location.hostname) {
-  document.write('<!--');
-}
diff --git a/js/seckit.frame_check.js b/js/seckit.frame_check.js
new file mode 100644
index 0000000000000000000000000000000000000000..66b016d784dc9b5c3d9478de4e05d53a578c446e
--- /dev/null
+++ b/js/seckit.frame_check.js
@@ -0,0 +1,7 @@
+/**
+ * If site is being framed and not within the same host,
+ * hide the page. @see https://www.hacksplaining.com/prevention/click-jacking
+ */
+if ((top === self) || (top.location.hostname === self.location.hostname)) {
+  document.body.setAttribute('style', 'display: block !important');
+}
diff --git a/src/EventSubscriber/SecKitEventSubscriber.php b/src/EventSubscriber/SecKitEventSubscriber.php
index 8870d1abc77006fd38e2c4d6d8f14d08b0f5a581..2359141605e1aec7f35c2765abc39fa658ccb889 100644
--- a/src/EventSubscriber/SecKitEventSubscriber.php
+++ b/src/EventSubscriber/SecKitEventSubscriber.php
@@ -423,9 +423,8 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
     $message = Xss::filter($noscript_message);
     $path = base_path() . $this->moduleExtensionList->getPath('seckit');
     return <<< EOT
-        <script type="text/javascript" src="$path/js/seckit.document_write.js"></script>
+        <script type="text/javascript" defer="defer" src="$path/js/seckit.frame_check.js"></script>
         <link type="text/css" rel="stylesheet" id="seckit-clickjacking-no-body" media="all" href="$path/css/seckit.no_body.css" />
-        <!-- stop SecKit protection -->
         <noscript>
         <link type="text/css" rel="stylesheet" id="seckit-clickjacking-noscript-tag" media="all" href="$path/css/seckit.noscript_tag.css" />
         <div id="seckit-noscript-tag">
diff --git a/tests/src/Functional/SecKitTestCaseTest.php b/tests/src/Functional/SecKitTestCaseTest.php
index cb6f17184f4f595aa318c5adf1d574a8179d1878..7711af1cfa88a2e2f003d7ba3e3c9c5367557e9a 100644
--- a/tests/src/Functional/SecKitTestCaseTest.php
+++ b/tests/src/Functional/SecKitTestCaseTest.php
@@ -547,9 +547,8 @@ class SecKitTestCaseTest extends BrowserTestBase {
         $config->get('seckit_clickjacking.noscript_message');
     $path = base_path() . \Drupal::service('extension.list.module')->getPath('seckit');
     $code = <<< EOT
-        <script type="text/javascript" src="$path/js/seckit.document_write.js"></script>
+        <script type="text/javascript" defer="defer" src="$path/js/seckit.frame_check.js"></script>
         <link type="text/css" rel="stylesheet" id="seckit-clickjacking-no-body" media="all" href="$path/css/seckit.no_body.css" />
-        <!-- stop SecKit protection -->
         <noscript>
         <link type="text/css" rel="stylesheet" id="seckit-clickjacking-noscript-tag" media="all" href="$path/css/seckit.noscript_tag.css" />
         <div id="seckit-noscript-tag">