To prevent click jacking, Nopcommerce should use X-FRAME-OPTIONS: SAME-ORIGIN.
Implementation is easy, and can be seen here.
https://dotnetcoretutorials.com/2017/01/08/set-x-frame-options-asp-net-core/
Also browser xss should be considered.
https://dotnetcoretutorials.com/2017/01/10/set-x-xss-protection-asp-net-core/