upagekite/web: Add web security code

[BjarniRunar]

The micro-framework needs to support basic web security features by default.

A few ideas:

• [x] A method which requires HTTP Basic auth (username/password)
• [ ] An option on the above method to allow unauthenticated access from the LAN
• [x] Easy-to-use CSRF in forms and the form parsing code
• [x] Review what kind of CORS headers should be included by default
• [x] Use default Referrer-policy to not leak domains/URLs to outside
• [x] Set cache-control defaults to "private" only

[BjarniRunar]

I think the conclusion w.r.t. CORS is no headers should be added by default, since CORS is designed to grant further access, not restrict it. Apps which need this can however change the defaults or add their own CORS headers. So marking that task done.