In what scenarios should the X-Frame-Options HTTP header be used?
An HTTP header which indicates whether the browser should allow the webpage to be displayed in a frame within another webpage. Used as a defense against clickjacking attacks.
Does this only make sense on web pages that contain a <form> element?
Does this only make sense on web pages performs a HTTP POST request?
Is this for the checkout page on a e-commerce website?
What scenarios should it be used for?
Simple answer is: everywhere where framing is not needed.
Framing can be dangerous because it allows you to load a fully working site within another site and potentially fake interaction with it in a process known as click-jacking.
Say for example I set up a fake site with a URL that looks like a real Internet banking site. This is a lot easier by framing the real site rather than having to go to effort of creating a fake copy. Then I create fake input fields over the top of username and password fields and read in those values, and sit back and collect usernames and passwords.
So you could argue that perhaps you only need to do this on pages with forms but really why go and make it hard on yourself and have to decide and remember to set it on each page with a form? Just set it once for the whole site and forget about it.
Also allowing framing of other "non-important" pages, as well as making it easy to forget one as per above, allows the whole site to be faked easily and then only the login or checkout pages to have to be manually faked. So I could set up a fake version of Amazon.com, frame the whole of Amazon.com so it looks authentic and then, as soon as you go to check out, redirect you to my checkout page. It's a lot easier to fake one page than a whole site.
So back to my original response to your question: why would you NOT want to put this header everywhere? Yes it's a few extra bytes in each response but, unless you've a highly optimised site, that's really noticeable. And yes it's technically not a standard (hence the X- bit of the name) but every mainstream browser supports the main "DENY" and "SAMEORIGIN" variants of it so why not use it?