IMO, a modern web framework should provide first-class support for OWASP Secure Headers Project and provide developers to easily configure it to so that their applications produce a high score on securityheaders.com.
Support for this does exist in Spring Security, however I believe this should really live in the core web framework as it's a useful feature regardless of whether application uses Spring Security - either because it doesn't need authentication/authorization support or uses some other solution for those concerns.