As of today it is not possible for the QMC to adjust the X-Frame-Options in the http header.
This leads to vulnerability possibilities with e.g. clickjacking.
We need a setting in the QVManagementService.exe.config or a xml config file to add additional response headers.
E.g.
X-Frame-Options: SAMEORIGIN
As seen in article https://support.qlik.com/articles/000022197
This is possible in Qlik Sense (virtual proxy advanced configuration) as in Qlikview webserver using this way https://support.qlik.com/articles/000094340 or a standalone IIS, but it’s not available for the QMC part of Qlikview.