Can anyone explain me to add Content security Policy and X-XSS-Protection header in my website?
You must configure the server, which you can’t. But you can add a meta tag as mentioned in Mozilla’s Documentation.
X-XSS-Protection is meant for legacy browsers. It must be configured via an .htaccess file. Or by PHP. Very few browsers supports it.
IE8, Chrome 1 - 3, Safari, Safari Mobile, Opera Mobile, and Samsung Internet are the few browsers that supports this.
No, you don’t need to change the server configuration to set these headers. Sure, adding the headers to the main server config is a way to enable them, but far from the only one.
You can set most HTTP headers in both .htaccess rules and PHP code.