The necessary security measures are already in place with the setting "x-frame-options: DENY".
This can be marked as false positive.

The use of x-frame-options: DENY (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) is a strong measure for preventing the embedding of pages within iframes on external websites. This header effectively blocks attempts to frame the content, providing protection against clickjacking attacks. Since it is present by default in all responses, the necessary security is already in place.

The frame-ancestors directive within the Content-Security-Policy (CSP) header serves a similar purpose, its use becomes redundant when x-frame-options: DENY is set. Both headers aim to prevent iframe embedding, and applying both would not add additional security.

Further references:

http://www.nessus.org/u?55aa8f57
"Preventing the browser from loading the page in frame using the X-Frame-Options OR Content Security Policy (frame-ancestors) HTTP headers."

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
"Setting frame-ancestors directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers)."

https://content-security-policy.com/
frame-ancestors defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY