Enabled by default. This rule guards against cross-site scripting and clickjacking attacks on the Login page by implementing the X-Frame-Options HTTP response header. This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe>, thus ensuring that content is not embedded into other sites. The key/value pair is:

The page can only be displayed in a frame of the same origin as the page itself.

Disabled by default. This is a more stringent Login page anti-cross-site scripting and clickjacking rule. The key/value pair is:

In this case, the page cannot be displayed in a frame, regardless of the site attempting to do so.

Enabled by default. This setting sets the standard document type for Internet Explorer in rendering HTML pages. The default value is IE8.