Bypass X-Frame-Options (Proxy protection NOT used)

We have found a vulnerability in our site.

  • bypass X-Frame-Options (Proxy protection NOT used)

Proxy protection is NOT used, and X-Frame-Options header can be bypassed and recreate clickjacking on the whole domain. Also we don’t have a reverse proxy protection that allows attackers to proxy our website rather than iframe it.

Probably there is a need to implement CSP headers and set header X-Frame-Options to DENY, but we are not sure how to do it.

Kindly help what has to be done here.