Note: The X-Frame-Options header is being replaced with the more flexible Frame Ancestors directive (part of the Content Security Policy). When you enable the Frame Ancestors header in Really Simple Security Pro (Security -> Settings -> Security Headers -> Content Security Policy), the plugin will automatically set the appropriate X-Frame-Options header.
X-Frame-Options is a Security Header that allows the website administrator to determine whether their site can be embedded using mechanisms such as an <iframe>, <embed> or <object>.
iFrames are commonly used to execute click-jacking attacks. During these attacks, a malicious site loads the target site in an iFrame to trick visitors to unintentionally perform actions like clicking on buttons or links on the malicious site. The intention could be to download malware, to harvest likes for social pages or to gain access to credentials, personal data, etc.
Options
There are two possible values for X-Frame-Options:
SAMEORIGIN: Only allows the site to be embedded on the same domain/origin. This is the recommended setting to block other domains from embedding your site, but still allowing your own site to embed itself.
DENY: Prevents the site from being embedded entirely. This prevents both other domains, as well as your own domain from embedding the site (so, you can not embed your own domain either). Note: only use the DENY setting if embedding mechanisms are not used on your site, as the DENY setting causes issues with page builders that rely on embedding mechanisms like <iframe>.
If you require your site to be loaded/embedded in iFrames on a different domain, do not set an X-Frame-Options header!