We have a fairly small API GW setup right now, but use a Global Policy to return some common secure headers that all endpoints require. For example, HSTS and some others are required for every service.
Just added the Manage Transport Properties to add/replace the response headers with what we want to ensure it's always set to the required value.
Manage Transport Properties/Headers Assertion - CA API Gateway - 9.3 - CA Technologies Documentation
For ones that need additional, or custom headers not in the standard list we use, then we either add it straight into their policy and just return what is needed (such as content-security-policy will often vary depending on the app) or an included policy fragment if there's a common set across multiple services.