Improve default response headers

Reponse headers now include the following:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security: max-age=63072000
  - Only when HTTPS_ONLY is set

https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
https://infosec.mozilla.org/guidelines/web_security#x-frame-options

app/routes.py

@@ -145,9 +145,12 @@ def before_request_func():
 
 @app.after_request
 def after_request_func(resp):
+    resp.headers['X-Content-Type-Options'] = 'nosniff'
+    resp.headers['X-Frame-Options'] = 'DENY'
     resp.headers['Content-Security-Policy'] = app.config['CSP']
     if os.environ.get('HTTPS_ONLY', False):
         resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
+        resp.headers['Strict-Transport-Security'] = 'max-age=63072000'
 
     return resp