Add RateLimit-* headers to RackAttack responses

Something I noticed when I was looking at https://docs.gitlab.com/ee/user/gitlab_com/index.html#haproxy-api-throttle is that we document these RateLimit-* headers we set.

We don't get these for free with Rack Attack, but we could add them: https://github.com/rack/rack-attack#ratelimit-headers-for-well-behaved-clients We already manually add them in HAProxy: https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/-/blob/3a8f7adbc0e0ce5996e529e6dd45b135caf13f2c/templates/default/haproxy-frontend.cfg.erb#L320-324

I think we should, because clients like https://github.com/xanzy/go-gitlab/blob/master/gitlab.go#L47-48 expect these.

So that is:

• Send these headers for all requests (see also gitlab-org/gitlab#20482 (closed))
• Update the documentation at https://docs.gitlab.com/ee/user/gitlab_com/index.html#haproxy-api-throttle
• Verify whether the load balancers override these headers?
  • Cloudflare
  • HAProxy touches the headers. We'll need to open a new MR to conditional set the headers only if the headers are not set by the upstream only.
• Create a section for response headers at https://docs.gitlab.com/ee/security/rate_limits.html#rate-limits
• Update other response header documentations to point to the unified general one above at
  • https://docs.gitlab.com/ee/security/rack_attack.html#rack-attack-initializer
  • https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#protected-paths
  • https://docs.gitlab.com/ee/user/gitlab_com/#protected-paths-throttle
• (Done because that blog post is already merged) Update gitlab-com/www-gitlab-com!70143 (merged) if we do this before that's merged
• Close gitlab-org/gitlab#20482 (closed) once we're done

cc @jacobvosmaer-gitlab @cmiskell