Use X-Frame-Options header to protect against ClickJacking.

libraries/header_http.inc.php

@@ -20,6 +20,10 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
  * Sends http headers
  */
 $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
+/* Prevent against ClickJacking by allowing frames only from same origin */
+if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
+    header('X-Frame-Options: SAMEORIGIN');
+}
 header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
 header('Last-Modified: ' . $GLOBALS['now']);
 header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1