first of all ,we can't do much about that if tomcat would by default do that.
But i just downloaded the latest 9.0.36 and looked into the default web.xml:
<!--
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-->
its commented out, so somebody else did enable that.