Add default headers to webserver responses

[frenck]

Breaking change

Home Assistant can't be put in an iframe anymore by default. If you still want to embed the Home Assistant interface in a frame, you can do so by disabling use_x_frame_options by setting it to false in the http configuration.

Proposed change

This PR adds a little bit of middleware, that sets some useful headers by default. To improve both security and privacy.

• Sets Referrer-Policy to disable any referrer to be sent out. This prevents leaking your instance URL when navigating away.
• Sets X-Frame-Options which helps to prevent clickjacking.
• Sets X-Content-Type-Options to avoid MIME type sniffing.
• Sets Server to an empty string. This prevents aiohttp adding its version + Python version; leaking unneeded information.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request: Document use_x_frame_options http configuration option home-assistant.io#28453

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign http Removes the current integration label and assignees on the pull request, add the integration domain after the command.

[edenhaus]

Thanks @frenck 👍