An attacker frames your web page, makes it transparent, and floats it over its own site. The defense is simple: Just add an X-FRAME-OPTIONS: SAMEORIGIN header to all your pages. A passive tool (like OWASPs ZAP) can verify that the header is set on all your web pages in a test environment. Training and standardization are key to improving application security in the future, says John Defterios.”]