I don't know how many of these can be set automatically by default.
Public-Key-Pins and HPKP header are deprecated.
I tried to implement Content Security Policy on the blog and it is very difficult. Even if you implement it successfully, you limit yourself a lot and you can't install some modules. Lots of work for few results.
X-Permitted-Cross-Domain-Policies - If your project is not using Flash and pdf, there is no need for that header.
You can set the CAA record at DNS level. It's very simple.