are you referring to a specific vulnerability, a VMware Security Advisory, CVE or alike?
I looked at the HTTP headers that the vCSA 6.5 sends (with Chrome debug console), and noticed that the headers you mentioned are already sent from the Flash based Web Client (/vsphere-client), but not consistently from the HTML5 client (/ui).
You can for sure tinker with these settings by editing the web.xml config files of the different Tomcat instances, but this is certainly unsupported by VMware and can cause unwanted side effects like Web Client plugins no longer working as expected.
The report is showing the main web client for the VCSA on port 443 (before choosing the client to use) is showing as not having the headers set. I have tested both the Flash Web Client and the HTML5 client and both are showing none of the response headers on our system.
I will contact VMware themselves and see what they say- will post a reply if I get anything from them.