How to add and remove security-related HTTP response headers for HTML pages and API endpoints, for .NET web applications hosted in IIS.