Create an SPI for adding Security Headers to responses.
Introduce Security Headers SPI, including a default provider.
Currently, security headers are added in the code, which is error prone. Instead the configured security headers provider should be used to add headers in a JAX-RS response filter.
The SPI should also support being extended in the future to allow for more strict CSP headers, which means it should support some way of setting up options on how the headers should be applied.
For now the default provider will use the headers associated with the realm that can be configured directly by the user, but the intent is to eventually get rid of that. A realm should not duplicate default values in the db, and users should not configure the header values directly, but rather have higher-level options on configuring the headers if needed.