Add concept of read-only endpoints and add configuration to block anything but read-only endpoints

Idea would be to have all mutating endpoints (`PUT`, `POST` and `DELETE`) return a 405 Method Not Allowed by default, unless a configuration option is explicitly set to allow mutations.