The Content-Security-Policy header only makes sense on HTML pages.
A security header that would make sense for a image or other resource would be Access-Control-Allow-Origin. But that is restrictive by default, so you don't need to do anything with that.