Ideally we would like to configure forms to be served up with the X-Frame-Options: deny header.
X-Frame-Options can be configured at Form Space > Properties tab
Cool, the notes on that property say:
The 'X-Frame-Options' HTTP header value, options include: [ NONE | SAMEORIGIN | ALLOW-FROM www.example.com ]. If blank then no 'X-Frame-Options' header will be set.
Can we also set 'DENY'?
Yes, you can use 'DENY'