I recently crawled the top million websites (alexa) and pulled data relating to the usage of HTTP Headers, such as HTTPOnly cookies, X-XSS-Protection, X-Frame-Options and X-Content-Security-Policy.
See the results here: http://hackertarget.com/http-header-security-analysis/
Who implements these policies on the web servers they run?
According to the stats < 1% of sites in the top 1 million are setting these headers for most of the options.
I looked through that script and saw nothing earth-shaking. In fact, many are proprietary to one browser or another and, IMHO, irrelevant (as features of the header to be concerned about). In saying that, it's just too easy to spoof the headers so they cannot be relied upon anyway.
You asked "Who implements these..." so my response is a professional coder. I say professional as one without the knowledge to write good code cannot be considered professional. There are many aspects to this, too many to go into here, but the "home brew" e-commerce sites are things to stay away from!
Why are hackers going to honor headers I send?
:D:D:D I thought I said that already. Okay, okay, certainly not as succinctly as you did!