User can exclude headers (generally in responses is most useful)
by configuring them, or calling a setter in ZuulProperties.

If Spring Security is on the classpath we add a few headers
automatically, corresponding to the ones that would be added
by Spring Security in the remote backend anyway (so they are not
added twice). Nothing is actually removed, so if the remote
service doesn't add those headers, we don't change anything.

The X-Application-Context header is also added to the hard coded
list of ignored headers, because it isn't relevant in the
gateway (and leaks information about the remote service).

Fixes gh-819