Add security headers

[AMDmi3]

Currently, a lot of security-related headers are set in our nginx. These should be moved to repology-webapp, as these will make sense for any Repology instance, while having these in nginx config complicates it and gets in a way of implementing poorly written MITM software like anubis, which doesn't work in their presence.

For pages:

add_header  X-Content-Type-Options "nosniff";
add_header  Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'";
add_header  X-Frame-Options "DENY";

For badges (see repology/repology-webapp#175 on why we need relaxed header):

add_header  X-Content-Type-Options "nosniff";
add_header  Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; frame-ancestors *; base-uri 'none'; form-action 'self'";

These headers may be injected by a middleware, but because it needs customization depending on an endpoint, we need to separate generic and badge routers and then merge them with axum::Router::merge or axum::Router::nest