Implement Content-Security-Policy header

We use Qualys to scan for vulnerabilities and one item they flagged is we aren't sending the Content-Security-Policy header. They note that they simply look for the existence of the header, not the actual value of the header. I attempted to add headers using:

  "Content-Security-Policy" => "default-src 'self'; script-src 'self';"
}```

However when I `sudo gitlab-ctl reconfigure` the nginx throws errors when restarting. What's the proper syntax to add this header?

Also, I know there has been some work over at the [gitlab-ce project](https://gitlab.com/gitlab-org/gitlab-ce/issues/18231) that was [reverted](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5381) so I'm not trying to stir a hornets nest. Just trying to get Gitlab to be clear of the Qualys alerts where I can. I do thank everyone working on Gitlab. We currently have Bitbucket and Jenkins but Qualys certainly does not like those and I don't see any way to resolve those alerts but Gitlab largely is good so thank you for all your work!