Retry-After header should be set by RackAttack

We do not set the Retry_After header even though our documentation claims we do (1, 2,3); I have experimentally confirmed that (lack of) behavior on a protected path URL.

It's easily enough turned on with Rack::Attack.throttled_response_retry_after_header = true per https://github.com/rack/rack-attack#ratelimit-headers-for-well-behaved-clients and is a nice thing to do e.g. gives a better experience for the python client, at least (https://python-gitlab.readthedocs.io/en/stable/api-usage.html#rate-limits)