Define and add a CSP to the web app

We have found a couple of XSS vulnerabilities over the years, and there may be a few more that we are unaware of.

a strict Content-Security-Policy should help mitigate them.

Migrated from T4028 (view on Phabricator)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information