Missing Strict-Transport-Security header

A security scan from one of our customers has reported this as a security issue:

Missing Strict-Transport-Security header (in
https://example.com/modules/contrib/seckit/js/seckit.document_write.js)

Description :
The HTTP protocol by itself is clear text, meaning that any data that is
transmitted via HTTP can be captured and the contents viewed. To keep data
private and prevent it from being intercepted, HTTP is often tunnelled through
either Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

When either of these encryption standards are used, it is referred to as HTTPS.
HTTP Strict Transport Security (HSTS) is an optional response header that can be
configured on the server to instruct the browser to only communicate via HTTPS.
This will be enforced by the browser even if the user requests a HTTP resource
on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed
from the client to the server using HTTP. This can be conducted via various
Man-in-The-Middle (MiTM) attacks or through network packet captures.
Arachni discovered that the affected application is using HTTPS however does not
use the HSTS header.

Solution :
Depending on the framework being used the implementation methods will vary,
however it is advised that the `Strict-Transport-Security` header be configured
on the server.

One of the options for this header is `max-age`, which is a representation (in
milliseconds) determining the time in which the client's browser will adhere to
the header policy.

Depending on the environment and the application this time period could be from
as low as minutes to as long as days.

And this security issue too:

Missing X-Frame-Options header (in
https://example.com/modules/contrib/seckit/js/seckit.document_write.js)

Question:
Is this really such a vulnerability? And how can we solve this?