The following option is available under the Security tab in WHM >> Tweak Settings:
Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd
It defaults to OFF and per it’s description:
Use the X-Frame-Options HTTP response header to indicate whether a browser can render a page in a <frame>, <iframe> or <object> tag. This allows websites to ensure that their contents are not embedded into other sites, to avoid clickjacking attacks.
The server uses the X-Content-Type-Options response HTTP header to indicate that the MIME types in the Content-Type headers should not be changed or followed.
When you enable this option, the system adds the X-Frame-Options header, with a value of SAMEORIGIN, and the X-Content-Type-Options header, with a value of nosniff, to cpsrvd responses.
If you wanted to modify this setting via the command line, you’d use the following command:
whmapi1 set_tweaksetting key=xframecpsrvd value=0
“1” represents ON and “0” represents OFF.