Double x-frame-options header on Listed.to

[salixh5]

Describe the bug Any website on the listed.to domain and all listed.to custom domains return multiple x-frame-options headers. They're also both different (sameorigin and deny). Browsers don't expect multiple x-frame-options headers and this results in undefined behavior. You should only send a single x-frame-options header.

To Reproduce Steps to reproduce the behavior:

1. Go to listed.to
2. Look at the HTTP headers

More X-Content-Type-Options is also doubled up, but contains the same content both times. Could still confuse some browsers and should be avoided. Also you probably don't want to send X-Powered-By and Server headers in production.