Scans showing low vulnerability for our Jenkins instance

[s.p...@gmail.com]

Hi, 

Jenkins is installed on windows server. Our web scans show three low findings .

1) cookie not marked as HttpOnly 

2) [Possible] Cross-site Request Forgery

3) Missing X-frame-options header.

Installed Missing X-frame plugin and the set the option as SAMEORIGIN but the scans still shows as low finding. For the other two , I'm not able to find any resolution in google search. Appreciate any inputs on this. Thanks in Advance.