Use one or the other
to prevent other sites from iframing your site in order to prevent clickjacking. Deny means nobody can iframe your site, Sameorigin means you can iframe a page or content of yours elsewhere on your site. Place the code in your cPanel/public_html/.htaccess file or equivalent.
This is not for hotlinking, it is to prevent clickjacking.
Header always set X-Frame-Options "DENY"
Header always set X-Frame-Options "SAMEORIGIN"
These types of headers are part of what they call Content Security Policy. It is a complex way of denying man in the middle attacks, page reload attacks, breaches and exploits. To write a Content Security Policy is a very effective way of securing traffic in and out of any server. But it can be very challenging to understand and code. I am currently working on a tutorial which i will post here within a week.
In a nutshell, if somebody wanted to steal your E-commerce shopping carts info or website login info
they would copy your shopping cart or login page and host it somewhere in a dark corner of the internet. Now skipping some details which i obviously am not going to tell you, they iframe your site on top of the fake pages under their control. So when a person inputs credit card info or logins, it is actually being typed into the fake site and the hacker receives the credit card or login info.
Be safe out there!