Harden default CSP

[rumkin]

1. Use default-src 'none' for most resource types.
2. Create exceptions list for resources which may have 'self' value:
   • styles
   • scripts
   • images

[rumkin]

Decided to add several CSP sets for local development, testing and production purposes. Default is LOCAL which allows only localhost to be a source of data. STRICT is production version it denies everything using default-src 'none' and define exact resources to use https protocol with origin hostname.