fix(security): set x-frame-options deny

To prevent clickjacking and UI redress attacks, don't allow this page to
be iframed.

lib/server/config.js

@@ -14,7 +14,7 @@ module.exports = {
           maxAge: 15552000,
           includeSubdomains: true
         },
-        xframe: false,
+        xframe: true,
         xss: true,
         noOpen: false,
         noSniff: true

test/server.js

@@ -31,10 +31,13 @@ function checkVersionAndHeaders(path) {
       var xssHeader = res.headers['x-xss-protection'];
       assert.equal(xssHeader, '1; mode=block');
 
+      // frame options header
+      var frameHeader = res.headers['x-frame-options'];
+      assert.equal(frameHeader, 'DENY');
+
       // but the other security builtin headers from hapi are not set
       var other = {
         'x-download-options': 1,
-        'x-frame-options': 1,
       };
 
       Object.keys(res.headers).forEach(function(header) {