I admit the questions is stupid, but in the documentation about this issue there is a big confusion, I coudn't understand the principals, when security headers can be added, who can add them, do I need to write my own handler? how to add it? BindingProvider? http security ?? so who talk to whom and whom talks to who?!?!?!
any help is appreciated.