Provide better web security

[KellerFuchs]

• Use relevant HTTP headers:
  • Content-Source-Policy specifies which elements can come from which origins; it is currently in report-only mode in order to validate the configuration (and get rid of the inline JS) first;
  • X-Content-Type-Options prohibits the browser from guessing MIME types;
  • X-Frame-Options: DENY prevents people from putting hashbang.sh in a frame (for clickjacking);
  • X-XSS-Protection enables a heuristic XSS filter.
• Set Strict-Transport-Security when served over HTTPS.
• Use a better ciphersuite; rationale described in commit https://github.com/hashbang/hashbang.sh/commit/3d1c751ba643c9fbfd07a380220713e4b2d050c0.

[KellerFuchs]

Bad, bad @lrvick pushed changes without a PR, so it wasn't discovered that he didn't refresh the signatures.

As an aside, that means your changes where not served on the website either...

[lrvick]

@KellerFuchs There was no time for a PR. No one was around to review and this was a hotfix trying to get globalsign satisfied. Figured after the fire was out we could go through and fix things.

[lrvick]

• This is an unusual excuse that should not be made a habit of

[KellerFuchs]

@lrvick Doing a PR and merging yourself would have shown that the tests failed.