Hi Sebastiaan,
I hope you found the answer. I'm adding this answer for anyone who'll search for the question on the forum.
When hosting On Premise, preventing iframe embedding is something done by the web-server rather than a Mendix setting. As far as I can tell for IIS you have to use the X-Frame-Options header: