When the security header checkbox for "x-permitted-cross-domain-policies" is enabled during the scan, this header is already getting validated and so it should not show up in the list of boring/interesting headers in the issue list and report.

The same applies to 'content-security-policy' header as well.