For all of you using nginx and having this issue with the duplicated header by response.php. Just add this to your nginx config to remove the one added by nextcloud:
fastcgi_hide_header X-Frame-Options;
proxy_hide_header X-Frame-Options;
The first one should be enough but you know… better safe than sorry 
Or I assume it is safe to completely remove this header from the nginx config as it is not present in the official config example neither.
Edit: X-Frame-Options is back in the documentation for version 17 of nextcloud.