I recently crawled the top million websites (alexa) and pulled data relating to the usage of HTTP Headers, such as HTTPOnly cookies, X-XSS-Protection, X-Frame-Options and X-Content-Security-Policy.
I looked through that script and saw nothing earth-shaking. In fact, many are proprietary to one browser or another and, IMHO, irrelevant (as features of the header to be concerned about). In saying that, it’s just too easy to spoof the headers so they cannot be relied upon anyway.
You asked “Who implements these…” so my response is a professional coder. I say professional as one without the knowledge to write good code cannot be considered professional. There are many aspects to this, too many to go into here, but the “home brew” e-commerce sites are things to stay away from!