Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options, zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options documented here. This leaves the Zeppelin installation vulnerable.
In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default.