Not really following what putting those in HTTP_REQUEST will do for you. X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options are headers that manipulate browser behavior.
In sort of a basic way, these are the events you're probably interested in:
Request:
Client ------[HTTP_REQUEST]------> APM -------[HTTP_REQUEST_RELEASE]------> Backend
Response:
Client <-----[HTTP_RESPONSE_RELEASE] ----- APM <--------[HTTP_RESPONSE]---- Backend
So, probably you'd be interested more in HTTP_RESPONSE_RELEASE because you're trying to mess with headers that are meant for the client's user-agent.
Specifically though, APM already inserts "X-Frame-Options" on its pages (logon pages, webtop, etc) so you don't need to add this by disabling ACCESS::restrict_irule_events.
For those other things, you can probably just put them in HTTP_RESPONSE_RELEASE.
You may find the "HTTP::header replace" useful, it inserts if not exists, but replaces if it does exist.