Merged xss-hardening [r=fcorrea] [f=1211805,1211810].
Based on Chris' branch lp:~tribaal/txaws/xss-hardening, drops the cgi.escape as json content shoudn't be escaped.
It also adds the "X-Content-Type-Options: nosniff" header, to prevent browsers from guessing the content type, and use the one declared in the response (application/json).