version 2.7.1

Security related:

• #59 #61 more tricky-open-redirect prevention for the post-signin app-redirect: GHSA-5m6c-jp6f-2vcv

Changes:

• #60 do not set cache-control header for auth-only endpoint
• #63 new option --skip-auth-strip-headers, enabled by default, to remove some headers from upstream requests allowed by --skip-auth-regex, that would otherwise be set by the normal auth logic