nginx: Set X-Frame-Options header to DENY.

While there are legitimate use cases for embedded Zulip in an iFrame,
they're rare, and it's more important to prevent this category of
attack by default.

Sysadmins can switch this to a whitelist when they want to use frames.

puppet/zulip/files/nginx/zulip-include-frontend/app

@@ -4,6 +4,9 @@ error_log /var/log/nginx/error.log;
 # Enable HSTS: tell browsers to always use HTTPS
 add_header Strict-Transport-Security max-age=15768000;
 
+# Set X-Frame-Options to deny to prevent clickjacking
+add_header X-Frame-Options DENY;
+
 # Serve a custom error page when the app is down
 error_page 502 503 504 /static/html/5xx.html;