Default headers set in Caveman2 core should be optional

[fukamachi]

Caveman2 sets Cache-Control: private and X-Frame-Options: DENY by default in its core.
Those headers are recommended for security, however, they should be optional.

https://github.com/fukamachi/caveman/blob/master/v2/src/app.lisp#L74-L85

Moving the make-response to under skeleton/ possibly causes a security issue in running web sites. I'll notice before the update.