Please note that it seems on HTTPS pages sometimes the X-Frame-Options header is not sent when only the headers are requested although it is there. So always perform both checks.