WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site.
That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton to send the header for all pages, except those that are specifically excluded.
Note that if you’re using static page caching, the `wp_headers` filter won’t be called. In that case, it’s better to set it at the web server layer.
Here’s an easier one-liner that works:
add_action( ‘send_headers’, ‘send_frame_options_header’, 10, 0 );
Ah, that’s a good point. I’d probably still want to wrap it in a conditional to make sure that the oEmbed endpoint isn’t broken, though; similar to:
https://meta.trac.wordpress.org/browser/sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/security.php?rev=5517