JSON response headers need XSS protection

[joseph-reynolds]

The REST API HTTP responses are missing some security headers. This should be done even for JSON data per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

For example, https GET /${bmc}/xyz/openbmc_project/network/enumerate returns JSON data with HTTP response headers that do not include:

• Content-Security-Policy
• X-Content-Type-Options
• X-XSS-Protection
• Strict-Transport-Security
• and other similar headers

The fix is to add these headers to the HTTP response.