Why are headers cleared at all by the middleware?

[luizen]

Hi,
I am working on some .NET 6 REST APIs and using your middleware for the sake of consistent ProblemDetails on errors.
We have strict requirements to follow ASVS recommendations when it comes to HTTP response headers. So we need to add some like "Referrer-Policy", "X-Content-Type-Options", "X-Frame-Options" and so on.
Then I found out that this middleware strips out all our custom headers. After that I managed to make it work again by adding those headers to the AllowedHeaderNames set.
I don't get why the middleware removes all headers by default (except by some pre-defined). Could you please explain?
Thanks