X-Frame-Options tells browsers whether your pages are allowed to be loaded inside an <iframe> on someone else's site — without it, an attacker can embed your real login page invisibly inside their own page and trick users into clicking things they don't intend to (clickjacking).
Without this header, attackers can embed your site in a hidden iframe and trick users into clicking invisible buttons — credential theft and unwanted actions (clickjacking).
The response header X-Frame-Options: SAMEORIGIN (or DENY) is present on your pages.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →