Which attack does the Ex-Frame-Options header help prevent?

Ex-Frame-Options (X-Frame-Options) controls whether a page can be loaded inside a frame on another site. By using values like DENY or SAMEORIGIN, the server tells the browser not to display the page in an iframe from a different origin, which prevents attackers from layering your UI under their page to trick users into clicking something unintended. This directly mitigates clickjacking, where a user’s actions are hijacked by a deceptive frame.

These other attacks involve different weaknesses and aren’t stopped by frame controls: CSRF relies on forged requests that appear legitimate and is mitigated with anti-CSRF tokens; SQL injection stems from unsafely constructed queries and is blocked by parameterized queries and input validation; XSS comes from injecting script into pages and is mitigated by proper input/output handling and content security policies.