The Content Security Policy header and X-frame options header do not show as enabled in the security report even though the options have been enabled in the settings. This will be addressed if the settings are shown in the response header.