Hi and welcome to the forum
Many of those online test/tools will display errors because they do not support javascript and cookies
So it’s best to test through browser dev. tools (F12)
and you can see which headers were returned by the server
Since you are the owner of the domain, it is easier for you to do it through Cloudflare
but it can also be done via .htaccess or php etc..
now it all depends on what kind of website you have
but I remind you, don’t just copy the values if you don’t know what you’re doing, because the wrong settings can make your website inaccessible to someone
(CF offers somewhere in its options to put some of these security headers itself)
Manual:
Cloudflare - new way Tips for quality website design - #258 by Oxy
Cloudflare - the old way (but contains code that may be useful to you) Tips for quality website design - #194 by Oxy
blah blah - How to improve the performance - #3 by Oxy
More info (click on each one listed to find out what it is for and what kind of code you need) Enforcing Security Headers with Cloudflare Transform Rules - Paramdeo Singh
Domain on CF