You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.
X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.
Web Application Potentially Vulnerable to Clickjacking
Plugin ID: 85582
The anti-clickjacking X-Frame-Options header is not present
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy ‘frame-ancestors’ response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The ‘frame-ancestors’ policy directive restricts which sources can embed the protected resource.
Return the X-Frame-Options or Content-Security-Policy (with the ‘frame-ancestors’ directive) HTTP header with the page’s response.
This prevents the page’s content from being rendered by another site when using the frame or iframe HTML tags.