A third-party vulnerability scanner reported a Cross-Site Request Forgery (CSRF) vulnerability when scanning port 8443 against the Symantec Endpoint Protection Manager (SEPM) server.

14.3

In SEPM 14.2 RU1 and later, instead of using the X-Frame-Options header, Symantec uses the newer Content-Security-Policy: frame-ancestors 'self' header.
The newer header is supported by the major modern browsers, so the lack of the obsoleted X-Frame-Options header does not constitute a vulnerability.

Symantec uses frame-busting JavaScript in addition to Content-Security-Policy for pages that contain sensitive information.