Set common security headers in HTTP responses

[grobie]

In order to protect against web vulnerabilities, this change sets common
security headers.

• content-security-policy allows only scripts, fonts, and stylesheets to
  be loaded from the site origin or from Google's font servers
• referrer-policy denies any referrer header to be sent to other pages
  (note the highly sensitive URL fragment should have already been
  ignored by modern browsers)
• x-content-type-options denies browsers to assume the response content
  type
• x-frame-options denies old browser to load the page in an iFrame
• x-xss-protection activates basic XSS protection
• strict-transport-security enforces browsers to use TLS for any further
  requests in the future. It's only set if the request was served via
  TLS

See https://securityheaders.com/?q=yopass.se&followRedirects=on for more information.

[codecov]

Codecov Report

Merging #550 into master will increase coverage by 1.43%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #550      +/-   ##
==========================================
+ Coverage   86.95%   88.38%   +1.43%     
==========================================
  Files           4        4              
  Lines         138      155      +17     
==========================================
+ Hits          120      137      +17     
  Misses         10       10              
  Partials        8        8              

Impacted Files	Coverage Δ
pkg/yopass/yopass.go	96.07% <100.00%> (+0.78%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0a9fcc8...05e16a5. Read the comment docs.

[jhaals]

Thanks for adding these @grobie 👍