This header determines if the site can be embedded in an IFRAME.
The code below can be placed into an Apache virtual host file. Remember to first test the configuration and then reload or restart the web server otherwise if your Apache doesn't have a module installed or activated it will prevent it from starting.
The code will set the X-Frame-Options header so the site can be embedded only from pages hosted on the same domain.
There's an exception and let's say you have widgets whose content needs to be embedded. When that request is requested the X-Frame-Options header is unset/removed so the content can be embedded correctly.
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN
# Do we unset it now?
SetEnvIf Request_URI ^/?widgets?/content/.* skip_x_frame_options_header
#SetEnvIf X-Requested-From mobile-app skip_x_frame_options_header=1
Header unset X-Frame-Options env=skip_x_frame_options_header
</IfModule>
This code was tested in an .htaccess file as well and works. If you see a 500 Internal Server Error. You have to check the log files and see what's the error message. then you can find a way to add/enable the missing apache module.
This X-Frame-Options is supposed to prevent so called Clickjacking.
Wikipedia: Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
The same header can be output using PHP or other language. Having it at server level attaches the header to static files as well.
That means that people won't be able to embed your images, JavaScript or CSS files.
Image: Angèle Kamp (@angelekamp) on Unsplash. Image ID: IWzloaVyoOw