Summary
Acunetix 360 detected that frame-ancestors is missed in CSP declaration. It allows the injection of iframes.
Remediation
Set frame-ancestors to 'none' in CSP declaration:
Content-Security-Policy: frame-ancestors 'none'
Content-Security-Policy: frame-ancestors 'self' https://www.example.org