Implement security headers

[jschreuder]

• [x] X-Frame-Options
• [x] X-XSS-Protection
• [x] X-Content-Type-Options
• [x] HSTS
• [x] CSP

[jschreuder]

Headers implemented for all PHP requests, won't affect index.html though: a30bc05d66d2493c655c473df587f08f2e084ba4

Possibly server index.html through PHP?

[jschreuder]

Main template now served through PHP with headers attached in db02a770a88cad1b4cc1759b0971d8a1f9d511d0

This had the CSP causing all sorts of mayhem ofcouse, so the following modifications were necessary:

• added ng-csp to force Angular to go into CSP compatible mode
• still allow service-worker by adding its hash to the script-src directive and self to child-src
• allowing for base64 images by adding data: to img-src
• adding unsafe-inline to style-src to not break Angular Material theming

That last modification would be better not to have, but not sure how to eliminate it.

[jschreuder]

Done for v1, may want to revisit for next version.