tls – How good can X-Frame-Options HTTP header do against click-jacking?

  1. X-Frame-Options HTTP header is used to tell if a webpage is allowed to be used in a frame/iframe.

  2. Frames can be used for click-jacking/UI-redress attacks.

  3. It is advised to set X-Frame-Options to ‘DENY’ to prevent page being used for click-jacking.

But, is it not possible for the attacker to tamper the headers (especially with no SSL) OR provide his own page-that-mimicks-the-original-page into the frame?

Maybe it is useful when the user is logged in to the original site and the attacker’s frame displays a personalized page from the original site to convince the user. But, I suppose a dedicated attacker can mimick that too.

What can you tell about x-frame-options as a security feature and cautions when using it?