as per the June 2019 WAS Scan report:
The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users into clicking on a
malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons.
Attacks such as Clickjacking could potentially be performed.
The "X-Frame-Options:" allows three options DENY, SAMEORIGIN and ALLOW-FROM. It is recommended to set "X-FRAME-OPTIONS to DENY" which won't
allow any domain to frame the site or SAMEORIGIN which only allows framing by the same site. DENY and SAMEORGIN are supported by all browsers. Setting
"X-FRAME-OPTIONS" to ALLOW-FROM may still leave users vulnerable to Clickjacking since not all browsers support ALLOW-FROM including CHROME and
SAFARI. For more information, see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. For more common X-FRAME-OPTION
implementations errors please visit the link below: https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-putyour-