1) Start your web app project in Visual Studio
2) In your browser, log in to your web app as a member (not an admin).
3) Run a passive scan in ZAP.
Low priority X-Content-Type-Options Header Missing (20)
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. (Clickjacking - Wikipedia)
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).