We are developing a restful API that fulfils some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options as SAMEORIGINin order to handle problems.
My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.
Do I miss something? Could you please share your ideas?
Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.
Original answer:
OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.
I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!