Add security headers

[Varbin]

See the HTTP Headers cheat sheet and the Flask documentation.

• Content-Security-Policy (note to myself: allow inclusion from the IdP, possibly allow external and data URLs for images)
• X-Frame-Options as a fallback
• X-Content-Type-Options
• HTTP Strict Transport Security (configurable with on/off)
• Document and possibly set improved defaults for session cookie parameters

Do not configurate an referrer policy, as IdPs may check the referrer