Content Security Policy is missing the frame-ancestors directive

A Content Security Policy (CSP) is a set of rules that tells browsers what content your site is allowed to load and display. The frame-ancestors directive specifically controls whether your site can be embedded inside another website — a protection against "clickjacking", where attackers trick users into clicking hidden buttons. Your CSP does not include this directive, though an older protection called X-Frame-Options is currently doing the same job. The older X-Frame-Options header provides adequate protection today, but the CSP frame-ancestors directive is the modern standard and is more reliable across different browsers. Running both provides an extra layer of defence. Add frame-ancestors 'none' to your site's Content-Security-Policy header to block your pages from being embedded in any iframe on any other site. If you intentionally allow embedding on your own domain, use frame-ancestors 'self' instead. Your web developer can add this directive alongside your existing CSP configuration.