WordPress has a built-in function to send the X-Frame-Options header: send_frame_options_header(). It is used by default on the login and admin pages.
If you want to enable it always, just add it for front end views:
add_action( 'template_redirect', 'send_frame_options_header' );
But … it doesn’t send Content-Security-Policy headers. If you want to have a more complete solution and disable any frame, even from the same site, you can use:
function no_frame_headers()
{
header( "X-Frame-Options: DENY", true );
header( "Content-Security-Policy: frame-ancestors 'none'", true );
}
And then register that callback:
add_action( 'login_init', 'no_frame_headers', 1000 );
add_action( 'admin_init', 'no_frame_headers', 1000 );
add_action( 'template_redirect', 'no_frame_headers', 1000 );
This has to go into a plugin, of course.