thanks - me too - global settings not exist for this 🙁
if anybody wants i prepered good sample of security headers:
`context / {
extraHeaders <<<END_extraHeaders
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy "upgrade-insecure-requests;connect-src *"
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection 1;mode=block
END_extraHeaders
}`