X-Frame-Options HTTP header is used to tell if a webpage is allowed to be used in a frame/iframe.
Frames can be used for click-jacking/UI-redress attacks.
It is advised to set X-Frame-Options to ‘DENY’ to prevent page being used for click-jacking.
But, is it not possible for the attacker to tamper the headers (especially with no SSL) OR provide his own page-that-mimicks-the-original-page into the frame?
Maybe it is useful when the user is logged in to the original site and the attacker’s frame displays a personalized page from the original site to convince the user. But, I suppose a dedicated attacker can mimick that too.
What can you tell about x-frame-options as a security feature and cautions when using it?