In this case you enable the best choice for you will be to modify Moodle's source code (which you'll have to apply every time you upgrade Moodle):
First, open the following file:
At line 2032, you will see the following line:
You can try replacing it by:
@header('X-Frame-Options: SAMEORIGIN, GOFORIT');
@header("Content-Security-Policy: default-src 'self' *.yourdomain.com");
You can read more about Content-Security-Policy here.