Send X-Frame-Options on all served pages

[majek]

To prevent clickjacking new browsers introduced X-Frame-Options header. Although SockJS does not have any clickable elements, it would be good to send this header for hygiene. Especially for pages that are intended to be framed (htmlfile, iframe.html):

https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
https://www.owasp.org/index.php/Clickjacking#Defending_with_response_headers