Support Browser Security Headers

[echox]

Statuses should support and set the common browser security headers, for example Content-Security-Policy, X-XSS-Protection, HSTS and HPKP.

This should be configurable and turned on by default if possible.

[mvitz]

We should consider using https://github.com/ring-clojure/ring-defaults which comes bundled with most of the features you would like to add :-)