I had a try at using HttpHeaderSecurityFilter and I must say I'm a bit dissapointed. Because like it's said at https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#web.xml you can't have both your own way and HttpHeaderSecurityFilter: <<HttpHeaderSecurityFilter can be used to add headers to responses to improve security. If clients access Tomcat directly, then you probably want to enable this filter and all the headers it sets unless your application is already setting them.>>.
Since, in RequestHandler class, I already covered all the points HttpHeaderSecurityFilter does (strict-transport-security, x-frame-options and x-content-type-options) there is not much interest in using it. It could even be counterproductive with duplicate or conflictings values. Moreover it does not handle X-XSS-Protection which is a breeze to set in RequestHandler. Finally doing so in RequestHandler has the advantage of not depending on Tomcat and cover not only OOTB web apps but any possible new ones.
I had also a go with RestCsrfPreventionFilter, same dissapointement. It's hard to set as explained at https://email@example.com/msg88601.html. I gave up at this stage, on other filters as well... That does not mean they should not be considered in a custom project...
Anyway all in all I prefer to handle security point by point rather than having a false sense of security relying on filters or what-not.