So far we used a JavaScript hack only to prevent cross-frame scripting clickjacking attacks. A better method is to use the X-Frame-Options Header.
The option is not on by default but encouraged to turn on. As we do not know if it has any negative side effects it is no on by default.
See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet