fix(api): always set Strict-Transport-Security header

[jbrockopp]

This change enforces the API to utilize HTTP Strict-Transport-Security (HSTS):

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

To accomplish this, we set a header to inform browsers that the site should only be accessed using HTTPS:

server/router/middleware/header.go

Line 56 in 8bf333d

c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")

NOTE: This is the same value we set for the go-vela/ui:

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

This was flagged, as a low finding, by Cargill's security team during a penetration test of the system.

Their argument is by not enforcing secure connections, via HSTS, enables someone to exploit the product.

If an adversary were positioned in the middle of the endpoint and the server, they could use that against the system.

[codecov]

Codecov Report

Merging #644 (62a9bc0) into master (8db1ffd) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #644      +/-   ##
==========================================
- Coverage   55.37%   55.36%   -0.01%     
==========================================
  Files         195      195              
  Lines       15830    15827       -3     
==========================================
- Hits         8766     8763       -3     
  Misses       6695     6695              
  Partials      369      369              

Impacted Files	Coverage Δ
router/middleware/header.go	56.36% <100.00%> (-2.26%)	⬇️

[kneal]

LGTM 🐬