Document implementation of Content-Security-Policy

Add to JS page and link from HTML/CSS

Rationale (cybersecurity insurance) https://platform.securityscorecard.io/#/scorecard/open-contracting.org/issues/OPEN
Browser plugin to prepare heading
Common patterns from existing repos
Cloudflare configuration
Testing approach (example of missed issue from standard repo)
Links to any blockers with frameworks

Also add subresource integrity instructions (tool linked from MDN, use default SHA384)

And same for X-Content-Type-Options

open-contracting / software-development-handbook