Use a different and more strict CSP for the API endpoints

Proposal

The API shouldn't serve any HTML content (at least not with the HTML MIME type) so the complex CSP isn't really required there. For defense in depth in case we do end up serving HTML we should keep a CSP like default-src: none. This would make the response headers smaller by roughly 1500 characters.

The CSP isn't the root cause of gitlab-com/gl-infra/production#7516 (closed), but keeping it short would have helped preventing this problem.