A VA scan detected the "Missing or Permissive X-Frame-Options Header" threat from the CA NFA Harvester server:
We observed that the remote web server does not take steps to mitigate clickjacking attacks by setting a restrictive X-Frame-Options response header (i.e. with either "DENY" or "SAMEORIGIN").
We recommend setting an X-Frame-Options header with either 'DENY' or 'SAMEORIGIN' for all requested resources.
Release : 21.2
Ensure that X-Frame-Options is set to SAMEORIGIN on the Default Web Site:
Once this is set re-run the scan.