From
Ian Oxley’s Sitepoint article – Improving Web Security with the Content Security Policy, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
demonstrates how to do this; in your config file, in the httpProtocol section, add an entry to the customHeaders collection containing the name (i.e. "Content-Security-Policy" and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self) to be loaded.
The second resource you linked lists the different options you can use in your customHeader, and examples of their valid values. The one thing to remember is that subsequent options must be ;-separated, and the string must end in a final ;.