Send HTTP security headers (CSP, etc) on file downloads

File downloads should return HTTP security headers as another layer of
protection against someone framing a MantisBT file_download link to a
file with a harmful MIME type such as text/html.