Due to the upgrade to Rails 5, formerly working installations which
served both HTTP (towards a Tor onion service) and HTTPS requests broke
due to mixed HTTP / HTTPS Origin headers and improved request forgery
protections.

A simple fix would be to enforce HTTPS within Rails. However, in a setup
as described, this would break the onion service.

Accordingly, this commit introduces a new gem, secure_headers, which
allows to do more fine-grained control of the involved settings. It
requires a reverse proxy like Apache or Nginx which sets
X-Forwarded-Proto for HTTPS requests, to make the backend aware.

This change is based on these docs:
https://riseup.net/en/security/network-security/tor/onionservices-best-practices#onion-services-and-rails-4

Ref #55