Add some security headers, including CSP and HPKP

[rugk]

It would be nice to have some security headers: https://securityheaders.io/?q=https%3A%2F%2Fgethttpsforfree.com%2F

Especially a CSP could be very helpful here, as you can very strictly limit the JS use. However you may have to rewrite a few JS parts to be CPS-compatible (to not have to allow insecure-eval). Also have a look at report-uri where you can collect CPS and HPKP violation reports.

As for HPKP please be cautious with the LE client. You might want to follow this best practises.

[diafygi]

Will probably do CSP, but probably won't do HPKP since I don't really have a planned backup cert.