Set AtoM to enforce CSP by default

[sbreker]

We should update CSP settings to use Content-Security-Policy instead of Content-Security-Policy-Report-Only.

[sbreker]

Also check that the CSP directives match what is currently defined in the AtoM repo defaults.