The remote web server does not set an X-Frame-Options response header or a Content-SecurityPolicy ‘frame-ancestors’ response header in all content responses. This could potentially expose the
site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of
the vulnerable page that is different than what the user perceives the page to be. This can result in
a user performing fraudulent or malicious transactions.
Return the X-Frame-Options or Content-Security-Policy (with the ‘frame-ancestors’ directive)
HTTP header with the page’s response.