Extra browser-level hardening across the app

We extended the same set of browser security headers the API already sends so they now also cover every user-facing page. It's an invisible, behind-the-scenes…