Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it's certainly better that client-side JavaScript solutions.

But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site?

EricLaw's page maintains a list of supporting browsers.

Current verions of the major desktop browsers all support it; older versions and niche and some mobile browsers don't. So you will probably want to include an anti-framing <script> as well, to set top.location (and remove the page content first in case of anti-frame-busting; see this question for why).

You might prefer the script approach to X-Frame-Options when you want to selectively allow framing. X-Frame-Options does not permit ‘whitelisting’, so you can't eg allow Google Images traffic but not others.

Either way, IE6-7 will still allow attackers to frame your page and disable the frame-buster. Unfortunately the questionable <iframe security> attribute existed before X-Frame-Options. You could try adding <base target="_top"> to try to make any navigation break out traditional framing (or just not work, in the presence of anti-frame-busters), but this can't help you against invisible-iframe-overlay attacks.