X-Frame-Options controls whether your page can be loaded inside an <iframe> on another origin. DENY blocks all framing; SAMEORIGIN allows framing only by pages on the same origin. The header is the primary defense against clickjacking attacks where an attacker embeds your page inside an invisible iframe overlay and tricks users into clicking elements they don't see.
Modern equivalent: CSP's frame-ancestors directive (Content-Security-Policy: frame-ancestors 'none') does the same job + supports more flexible policies (multiple allowed origins). When both headers are present, modern browsers honor frame-ancestors; older browsers and security scanners still check X-Frame-Options.
Most sites should send both: X-Frame-Options: DENY + Content-Security-Policy: frame-ancestors 'none'. Two headers, one line of config each, total clickjacking immunity.