Ahead of a system migration (to Debian 9 'stretch') my system adminstrator prepared a webserver for me to use with Moodle.
After a certain time of usage, we noticed fileupload via 'classical' filepicker and 'edit HTML' in TinyMCE editor did not work due to "Load denied by X-Frame-Options: …/repository/repository_ajax.php?action=upload does not permit framing." errors.
The httpd setting for X-Frame-Options was the cause.
It would be nice if in admin/environment.php or upon installation/upgrade there were a check looking after this setting.
Be aware of this httpd setting. It should at least state
Header always append X-Frame-Options "SAMEORIGIN"
Header always append X-Frame-Options "DENY"