This header can be added manually to a CRM site by going to the HTTP Response Headers section in IIS Manager. Adding a new header called X-FRAME-OPTIONS with a value of SAMEORIGIN will prevent CRM from being loaded in an IFrame, unless the container page is hosted on the same domain.
Please note that this header may not be effective in all browsers. The protection afforded by the X-Frame-Options header will only apply to IE8 and later, and current versions of Safari, Firefox and Chrome.
The header will not be set by default in Sage CRM installation, as it may interfere with customer customisations. There should be no issues enabling the header with a new copy of Sage CRM, should this be so desired.