Web access on a domain

We have a WAF implemented on webaccess.domain. A vulnerability assessment penetration test was done on the webaccess domain.

The vulnerability is “some security headers have not been implemented”

Implement security headers which are content security policy, content.type options, referrer policy, and permission policy.

Can anyone help me with how can this be resolved?