Add secure_headers gem and config

Due to the upgrade to Rails 5, formerly working installations which served both HTTP (towards a Tor onion service) and HTTPS requests broke due to mixed HTTP / HTTPS Origin headers and improved request forgery protections.

A simple fix would be to enforce HTTPS within Rails. However, in a setup as described, this would break the onion service.

Accordingly, this commit introduces a new gem, secure_headers, which allows to do more fine-grained control of the involved settings. It requires a reverse proxy like Apache or Nginx which sets X-Forwarded-Proto for HTTPS requests, to make the backend aware.

This change is based on these docs: https://riseup.net/en/security/network-security/tor/onionservices-best-practices#onion-services-and-rails-4

Ref #55 (closed)