Add CSRF protection to state-changing POST endpoints

Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.

Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms

Closes #11

templates/deployments.html

@@ -18,6 +18,7 @@
     <div class="section-header">
         <h1 class="text-2xl font-medium text-gray-900">Deployment History</h1>
         <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
+                {{ .CSRFField }}
             <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                 <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
             </button>
@@ -103,6 +104,7 @@
                 <p class="empty-state-description">Deploy your application to see the deployment history here.</p>
                 <div class="mt-6">
                     <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
+                {{ .CSRFField }}
                         <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                             <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
                         </button>