Which HTTP security header specifically prevents a web page from being embedded in an iframe to mitigate clickjacking attacks?