Improve the security via HTTP headers

We're currently missing a CSP policy to help preventing the loading of external resources such as fonts, javascript or images. We could also prevent Iframe loading on all pages (except embeds) using X-Frame-Options.

My initial attempts at a generating a CSP policy yield this: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:

With this policy, the app loads without any CSP warning (at least during my tests). The unsafe-unline and unsafe-eval bits could possibly removed if we added the CSP headers at the Python level (appending a nonce= to the stylesheets and javascripts files. However, this would require a bit more work.

We also might want to set the X-XSS-Protection, X-Content-Type-Options and Referrer-Policy headers too.