Mozilla security scan gives craftpoker.com an F

[ctm]

Fix the issues that a scan of craftpoker.com shows.

I wasn't aware of that analyzer until now. I found it while looking at implementing HSTS as part of my solution to us not redirecting to HTTPS (#1321).

[ctm]

Now that we're using HSTS, we get a C-. I think the other ones are even easier to fix than adding HSTS, because I don't think there are other hoops to jump through for local development (like creating a self-signed certificate and then having to tell the development machine to trust it).

[ctm]

I got it up to B+ fairly easily and am deploying now. To get a higher rating I need to tighten our Content Security Policy. I don't think that's going to be particularly hard, but it'll have me mucking with stuff I'm not particularly well versed in.

[ctm]

We now have an A+. There is still a little bit of ugliness:

• We're still using inline styles, because I didn't want to take the time to get rid of them.
• We currently hardcode wss://ws.craftpoker.com as a connect-src, because the hostname isn't available in DefaultHeaders
• We have to include unsafe-eval as a script-src because we use WASM and I couldn't find any workaround
• There's a script hash for the embedded JavaScript we use to detect JavaScript that's too old

I'll create a GitHub issue for our use of inline styles and even for the connect-src hardcode, but will leave the other two alone for now.