Improve application gateway security

[jemrobinson]

:white_check_mark: Checklist

• [x] You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• [x] You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• [x] Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

:vertical_traffic_light: Depends on

n/a

:arrow_heading_up: Summary

Improve the security of the application gateway following suggestions from here.

• Content-Security-Policy
  • upgrade insecure requests, block iframes, block forms that send you to another domain
• X-Frame-Options
  • block iframes from other sites
• X-Content-Type-Options
  • block MIME-sniffing of content that shouldn't be user-accessible
• Referrer-Policy
  • allow a site to control how much information the browser includes when navigating to another site. Not sure I really understand what this is for although this is a good writeup.
• Permissions-Policy
  • block this site from using accelerometer, camera etc. from the user's device. May need to be revisited in future.
• Strict-Transport-Security
  • enable HSTS which forces HTTPS (N.B. This one gives us A+ on SSLLabs)
• Server
  • remove server information which was highlighted as a potential vulnerability in the past

:closed_umbrella: Related issues

Closes #2137

:microscope: Tests

• Tested that the changes do not break the login process

SSLLabs score

SecurityHeaders score (from https://securityheaders.com)

[github-actions[bot]]

Coverage report

This PR does not seem to contain any modification to coverable code.