that was easy. after watching this talk on 28c3 i enabled the X-Frame-Options for apache and varnish. apache:

Header set X-Frame-Options deny 

varnish:

sub vcl_deliver {
  set resp.http.X-Frame-Options = "deny";
}