The order does not matter and/or you can combine the code:
<IfModule mod_headers.c> # Block other sites from displaying your website in iFrames & Protects against Clickjacking # Using DENY will block all iFrames including iFrames on your own website # Header set X-Frame-Options DENY # Recommended: Use SAMEORIGIN. iFrames from the same site are allowed but other sites are blocked Header always append X-Frame-Options SAMEORIGIN # Protects against Drive-by Download attacks & MIME/Content/Data sniffing Header set X-Content-Type-Options nosniff </IfModule>