ICS default 404 Page is hard-coded in ICS and does not contain any content which can lead to clickjacking risk. Likewise, it is impossible to customize the 404 response page. Hence, it was made as "Not Mandatory
" to have X-Frame-Options header for the 404 response URL.
If you need the X-Frame-Options as a "Mandatory" as per individual company security policy, then we have an alternative option to make ICS respond with X-Frame in 404 response header. Under System >> Configuration >> Security >> Advanced >> Custom HTTP Headers configure X-Frame-Options with SAMEORIGIN >> Add and Save changes:
Above custom option will enforce ICS
to send X-Frame Option header
in 404 response.