feat: allow overriding http headers

[mnlkrs]

While integrating this repository I came across an CSP error trying to create a service worker:

Failed to construct 'Worker': Access to the script at 'blob:https://foo.bar/f857a673-313d-42d9-965b-bfc803440b1e' is denied by the document's Content Security Policy.

I couldn't really find a way to override the headers, so here I am with the pull request!

Let me know if you want anything changed.

[IchBinYangF]

Met the same CSP problem with img loading from another distribution, need to override the http header of CSP.
(restriction of Combining CloudFront Functions with Lambda@Edge with Viewer request with Lambda@Edge and viewer respond with CloudFront Functions not possible https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions-restrictions.html)
so this can't be solved by adding add cloudfront function (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-add-security-headers.html)
I really need this PR. @mnlkrs 👍

[mnlkrs]

Hi @henrist , this is still something I'm interested in - another use-case is simply loading google fonts, which would be blocked with the default, non-overwritable CSP.