--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -143,6 +143,9 @@ abstract class ApiFormatBase extends ApiBase {
 
 		$this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
 
+		//Set X-Frame-Options for all API calls (bug 39180)
+		$this->getMain()->getRequest()->response()->header( "X-Frame-Options: DENY" );
+
 		if ( $isHtml ) {
 ?>
 <!DOCTYPE HTML>