X-Frame-Options: SAMEORIGIN
What is Clickjacking? https://en.wikipedia.org/wiki/Clickjacking
See also:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- Clickjacking Defense Cheat Sheet
Content-Security-Policy: frame-src 'self'
What is CSP, Content Security Policy? https://www.owasp.org/index.php/Content_Security_Policy
See also:
X-Content-Type-Options: nosniff
This is a security feature that helps prevent attacks based on MIME-type confusion.