Add CSRF protection to state-changing POST endpoints

Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.

Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms

Closes #11

templates/app_edit.html

@@ -21,6 +21,7 @@
         {{template "alert-error" .}}
 
         <form method="POST" action="/apps/{{.App.ID}}" class="space-y-6">
+                {{ .CSRFField }}
             <div class="form-group">
                 <label for="name" class="label">App Name</label>
                 <input