You mean for the X3 website page? Or for the control panel? You can add them to your own .htaccess file, although I don't really see the point. See comments:
BigBobbyD wrote:(2) Response headers do not include the HTTP X-Frame-Options security header
The only thing this does, is block other websites from showing your website inside an <iframe>. It's not strictly security related.
BigBobbyD wrote:(1) Response headers do not include the HTTP X-XSS-Protection security header
This is only useful if you don't trust users that have access to your X3 control panel. Or if you have a "comments" section where unknown users can insert comments that contain <script> tags, but this is not a feature in X3.
As noted, you can add these into the .htaccess file, but they are pointless unless you are running other insecure apps on your website unrelated to X3.