Goal
- Reduce the risk of your content being used in misleading ways.
Implementation
Configure the server to send the X-Frame-Options HTTP header with the value deny (to prohibit any inclusion of the page in a frame, regardless of the site) or sameorigin (to limit inclusions to frames with the same domain name as the page). The allow-from value (to limit inclusions to specific URLs), however, does not have sufficient support at the time of writing.
Control
Check using an HTTP header inspection tool that the X-Frame-Options is present with the value deny or sameorigin.