What it is
X-Frame-Options is a response header that controls whether other websites are allowed to embed your pages inside a frame or iframe. The modern equivalent is the `frame-ancestors` directive in a Content-Security-Policy; either one signals the same intent to the browser.
Why it matters
Without framing protection, an attacker can load your real page invisibly on top of their own and trick a logged-in user into clicking buttons they cannot see, a technique called clickjacking. For anything with authenticated actions (account changes, payments, approvals), this is a meaningful risk that a single header removes.
How WebGuard checks it
WebGuard reads your response headers and reports whether the X-Frame-Options header is present. The check only inspects headers your public site already returns and sends no intrusive requests. Note that a modern CSP frame-ancestors policy provides equivalent protection, so review this finding in that context.
A sensible starting configuration:
X-Frame-Options: DENY