I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.
However, security consultant scanned & claims that the URL / websites are not-vulnerable.
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable