Sorry for the delay, you make a very good point (with it applying to authenticated user at the console).
So, to ensure that the X-Frame-Options header is used for login.jsp, would that only come about in a new version of Openfire ? Or a simple replacement/update of login.jsp that we could somehow use/deploy right away?
(I am not a java programmer but could learn to compile/repackage if need be)
In any event, thanks for the insight