Onion service related changes to HTTPS handling (#15560)

* Enable secure cookie flag for https only

* Disable force_ssl for .onion hosts only

Co-authored-by: Aiden McClelland <me@drbonez.dev>

config/initializers/secureheaders.rb

@@ -0,0 +1,10 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true,
+    httponly: true,
+    samesite: {
+      lax: true
+    }
+  }
+  config.csp = SecureHeaders::OPT_OUT
+end