Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Question

I have a couple of web instances under a ALB, did a penetration test recently. One of the vulnerabilities was "Missing or Permissive Content-Security-Policy frame-ancestors