To elaborate the above question a little:

During one of the Security Scans of our application, we got the following comment from the system:

"Insufficient Content Security Policy – While the application implements a Content Security Policy (CSP), this policy is exceptionally lax and provides little to no protection. If the application is opened in modern browsers, including Edge, the policy also allows the application to be loaded into an IFRAME overruling other security headers."

Any help in this regard is appreciated.

Can you check your application is enabled with Cross-Site Request Forgery (CSRF) settings, if it is enabled it will prevent your application from IFRAME loading in third party application.

Reference link

https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection

After the DSS add or change, restart the server and do the security scan.

CSRF example 

<!DOCTYPE html>
<html>
<body>

<h1>The iframe element</h1>

<iframe src="https://www.w3schools.com" title="W3Schools Free Online Web Tutorials">
</iframe>

</body>
</html>

If you run this code from local or any server, W3schools won't allow to show the website in Iframe. Our pega app also should work this way.

Hi Samik and John,

The IFraming issues are not directly relates to CSRF configuration.

The Frame-Ancestors directive in your CSP (Content Security Policy) probably needs a stricter policy. Configure your own policy based on the pxDefaultSecured and update that directive as suggested by Brad.

Also, to protect the login screen, set the DSS prconfig/initialization/PromoteEmbeddedPortals/default to true. As described in https://community.pega.com/knowledgebase/articles/security/dynamic-system-settings-application-security

Please also consider upgrading to the most recent Pega version to get various security enhancements.

Eric