The defaults package should offer more configuration options

[kele]

Goal: Provide a way for developers to install (1) all the plugins needed for a secure web app, and (2) the plugins that work for their setup.

Example: We have two plugins that help with XSRF and they will depend on the way HTML responses are generated. Currently, to use Angular, one needs to list all the plugins themselves: #266.

One idea: create a mapping from security threats to plugins.