That header is part of the content security policy of a site. You don't want to add it haphazardly without understanding (and using) the full CSP rules for your org.
I haven't tried this with a function app but I believe you need to set up a proxy for the function. Inside the proxy you specify the header(s) to include as part of the response. Then all requests to the function return back the header(s) you specified. There is a blog article on that here.
Again, though, be sure to review your company's CSP rules and ensure you're following all of them otherwise you're locking a screen door.