introduce helmet for better security

[ruichen199801]

We can use Helmet (https://helmetjs.github.io/) to add a set of protections to our express app, including setting response headers properly.

Notes:

1. Helmet won't change header in localhost because we are using proxy: https://github.com/helmetjs/helmet/issues/327
2. We disabled contentSecurityPolicy as images and google map won't load. We can alternatively whitelist the urls, but it's more convenient to just disable it.
3. We disabled crossOriginEmbedderPolicy rules as this causes issue when calling GoogleMap APIs: https://github.com/helmetjs/helmet/issues/343