A bit more context would help. I assume you are consuming a REST-call here. in that case you add the header in the call-rest-activity.
*Editted* Ah, You are trying to implement this on your website. I have tested if Mendix has implemented this by default: https://gf.dev/tests/mqtllqyrz5t. Apparently not.
Here is a description of how to implement no-sniff protection: https://geekflare.com/http-header-implementation/. It needs to be done on the server. Since your server-manager is Mendix (again: I assume this) you best contact your CSM, customer support manager, at Mendix and ask for the possibilities.