Click-Jacking. It tells you all about it on the Wikipedia article.
This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).
The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).
Firstly make sure that you are loading the Apache module to modify HTTP headers :-
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-
Header always append X-Frame-Options DENY
The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).
The “X-Frame-Options” header is deprecated and an alternative is suggested :-
Header always append Content-Security-Policy: "frame-ancestors 'none'"
In some cases it may be necessary to try the following :-
Header always append Content-Security-Policy: "frame-ancestors 'self'"