All the ESRI examples are always very straight forward, but simple and plain when it comes to headers. In today's world we're asked to tighten down our code with the introduction of many more security headers. This is is not my area of expertise, I'm always doing good to get my code to work! It's my understanding some configuration can happen on the application server, as an overall configuration, while others are best managed per application.
These are the header I'm being asked about. There may be others as time goes on:
HTTP Public Key Pinning (HPKP) Header
HTTP Strict Transport Security (HSTS) Header
X-Frame-Options Header Header
X Permitted Cross Domain Policies Header
Content-Security-Policy (CSP) Header
Referrer-Policy HTTP header