Apply recommended security enhancements

[anarva]

Apply security enhancements recommended in the security guidelines for Meteor:

"1. Add package to explicitly block XSS and clickjacking attacks "
"2. Disable uncontrolled and free use of profile field assigned by default for each Meteor user"
"3. Limit the login attempts per connection to three per 10 seconds."

Description:

By adding browser-policy package, cross site scripting attacks are harder to construct. No changes to code required.

Disabling the uncontrolled user profile is recommended in the security guidelines.

Limiting/ lowering the amount the login attempts per connection will reduce the impact of brute force attacks against the user accounts.

User Story:

"As a user, I will not be prone to specially constructed harmful sites capturing the user input intended for the API portal."

"As a user, I will not be able to abuse the unlimited user profile storage provided by Meteor by default."

"As a user, my password is better secure when login attempts are limited."

[anarva]

Revisited this reported issue.

1. Suggested solution: the "browser-policy" Meteor package to prevent XSS and clickjacking attacs. Our Swagger editor is depending on ability to load definition files from remote sources. This is preventing us using the "browser-policy" package as an added security layer.
2. Disabling unlimited user storage: No mention of that in the current Meteor security guideline. Apparently an obsolete issue.
3. User authentication rate limiting - https://guide.meteor.com/security.html#rate-limiting "Meteor has built-in rate limiting for password login to stop password brute-forcing". An obsolete issue.