1 person found this helpful
Well I think you have partially answered your question. Yes X-FRAME-OPTIONS are set by default in Jive 7. As for the X-XSS-PROTECTION header that is an IE only thing to my knowledge so I wouldn't set it unless you have some internal use case that requires it to be set.
If you do decide to set it I would think a plugin and filter is a bit of overkill. Seems you could just set it with Apache configuration and avoid that plugin.
This can also be configured in Apache, but has some extra options for logging issues to the server, that's where a plugin could be used.