Issue: Security scanner detects a X-Frame-Options header missing in the initial redirect response from APM. When https://myapplication.mydomain.com/ (which is behind APM) gets requested, the initial response is a redirect to https://myapplication.mydomain.com/my.policy. The 302 response does not contain X-Frame-Options and following response from /my.policy does. Obviously this more of the scanner logic issue than APM, however in reality most of applications will insert X-Frame-Options in the 302. Is there a way to enforce X-Frame-Options on APM redirects?
