Add noindex support

[konklone]

This adds support for noindex indicators, as documented by Google here. If politely requested, we can add a specific report to a list that will emit the relevant HTTP header and meta tag for the report details page (which displays the report's full text).

Any such reports will still be publicly visible, and searchable from within oversight.garden, but will not be indexed by any crawlers which honor the noindex signal.

The list of noindex'd reports is managed in a list in config/noindex.yaml, which is versioned. The noindex.yaml file must be updated and the app redeployed for a new noindex value to take effect.

[konklone]

To fix the Travis build, I also:

• Updated ES to 6.5.4.
• Updated Ruby to 2.6.0.
• Removed the call-out to the Node Security Project, which was acquired by npm, is now baked into npm audit, and whose API doesn't exist anymore.

I'd love to discuss how we might use npm audit in future Travis builds, and where it's appropriate to warn rather than block a merge (especially for changes which need a major version update), but am happy to merge this first.

[divergentdave]

Looks good to me. nsp check in the CI may have been a bad idea, glad to be rid of it. Additionally, GitHub now has a native feature to scan package dependencies and notify about new vulnerabilities.