The undefined index error (which will also be responsible for the header output error) was a Microthemer problem. The latest 3.4.1 build fixes this.
With regards to the options in the security plugin, Microthemer does require iframes to be permitted. Do the other settings in your screenshot cause any errors with the new 3.4.1 build? If so I will try to work with the author directly to resolve any outstanding issues.