I found this:
To prevent clickjacking we recommend that you configure your webserver to provide the HTTP header set to .
For more information on clickjacking please see the OWASP site.
Which points to https://www.owasp.org/index.php/Clickjacking
Looks like this is configured at the web server level.
I will file a ticket and check the right approach.
Please do Share this this the community for future references.
Follows what Adobe responded:
Could you please open this page  and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.
Let me know if you have any question.
nsole/configMgr/org.apache.sli ng.engine.impl.SlingMainServle t
Also , an image of the configuration:
Hope that helps community.