This "account settings" page ships a destructive one-click button and NO frame protection — /public/_headers deliberately omits X-Frame-Options and CSP frame-ancestors, and there is no JavaScript frame-buster. An attacker can iframe it transparently and trick a victim into clicking Delete.
Trigger: <iframe src="/clickjacking/" style="opacity:.01"> positioned under a decoy button.
Detected by: browser_clickjacking_test, browser_clickjacking_poc_generate