Feature/security headers

[DanielHudson2]

Added an action for wp_headers to set security headers

For now have only added a basic default 'X-Frame-Options' = 'SAMEORIGIN' to prevent click jacking @edjeavons could do with some input on others from a server side perspective

This came from checking the security headers on the eighteen73 site https://securityheaders.com/?q=https%3A%2F%2Feighteen73.co.uk

Also added a filter so this can be overridden on a per site basis if needed

[brettsmason]

Looks good to me. My only comment is should we have a filter to enable/disable the same as others, eg orbit_enable_security_headers. I'll leave Ed to comment on what the defaults should be.

[edjeavons]

This is a really good idea, thanks @DanielHudson2

I've added some additional suggestions for the default header set. We'll need to give Content-Security-Policy a little thought to consider what's safe because I've definitely had problems trying to jump directly to generalised rules with that before.

I've added a is_ssl() check around the Strict-Transport-Security header to ensure it doesn't harm websites before devs are ready for it, but you and @brettsmason might a preferred way to test for whether or not requests are using SSL.