I have seen some questions recently about how to add response headers in a dynamics portal.  In the link below there are the CORS options available but there are several others not listed.  In the table below I added the ones currently available.  The image below has an example of how to configure one of the header settings.  


Site Setting  Documentation 
HTTP/Content-Security-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
HTTP/Content-Security-Policy-Report-Only https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
HTTP/X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
HTTP/X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Example for one of the headers configuration in the site settings:

Name:  HTTP/Content-Security-Policy

Website:  Your website you would like this setting to apply to

Value:  nosniff

For available values see the documentation in the table above.