HTTP headers / response header
X-Frame-Options: DENY
Controls whether the page may be embedded in an iframe — the classic clickjacking defense (DENY / SAMEORIGIN).
Superseded by CSP frame-ancestors, but kept for older browsers; conflicting values between the two confuse middleware stacks.
The fastest way to see what X-Frame-Options is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.