Whitelist Box client certs and app origins

[michielbdejong]

In order to improve security and privacy, we should:

• remove CORS headers from curl -i -X POST -d'{"local_ip":"foo"}' http://knilxof.org:4242/register
• whitelist origins for /ping end-point (initially only https://app.knilxof.org/; host http://fxbox.github.io/app there).
• whitelist /register clients using signed client certs (we can fake this for the staging build using a signing-cert that's in the foxbox repo)

If we run into difficulties with the signed client certs, a simpler approach would be to add an Authorization header or something similar.