Force CSP header for all requests

Currently styles / plugins were not actually under the CSP
header protection.
There's no real reason to not have them for all requests, so
add them as a root middleware.

src/server.js

@@ -50,6 +50,7 @@ module.exports = function (options = {}) {
 	app.set("env", "production")
 		.disable("x-powered-by")
 		.use(allRequests)
+		.use(addSecurityHeaders)
 		.get("/", indexRequest)
 		.get("/service-worker.js", forceNoCacheRequest)
 		.get("/js/bundle.js.map", forceNoCacheRequest)
@@ -286,14 +287,7 @@ function allRequests(req, res, next) {
 	return next();
 }
 
-function forceNoCacheRequest(req, res, next) {
-	// Intermittent proxies must not cache the following requests,
-	// browsers must fetch the latest version of these files (service worker, source maps)
-	res.setHeader("Cache-Control", "no-cache, no-transform");
-	return next();
-}
-
-function indexRequest(req, res) {
+function addSecurityHeaders(req, res, next) {
 	const policies = [
 		"default-src 'none'", // default to nothing
 		"base-uri 'none'", // disallow <base>, has no fallback to default-src
@@ -317,10 +311,22 @@ function indexRequest(req, res) {
 		policies.push("img-src http: https: data:");
 	}
 
-	res.setHeader("Content-Type", "text/html");
 	res.setHeader("Content-Security-Policy", policies.join("; "));
 	res.setHeader("Referrer-Policy", "no-referrer");
 
+	return next();
+}
+
+function forceNoCacheRequest(req, res, next) {
+	// Intermittent proxies must not cache the following requests,
+	// browsers must fetch the latest version of these files (service worker, source maps)
+	res.setHeader("Cache-Control", "no-cache, no-transform");
+	return next();
+}
+
+function indexRequest(req, res) {
+	res.setHeader("Content-Type", "text/html");
+
 	return fs.readFile(
 		path.join(__dirname, "..", "client", "index.html.tpl"),
 		"utf-8",