These changes add a command-line option --header, e.g. --header 'Access-Control-Allow-Origin: *'.
Basic tests are included for this option.
When accepting the argument, a very simple sanitization is made, the string is required to contain ": ", and can’t contain a '\n' character. These checks are far from what is required to truly validate a HTTP header, but will at least detect simple mistakes and forbid the abuse of having arguments that include more than one header, or, worse, that include a body for the response (after "\r\n\r\n").
This should also close the Issue #16 and PR #27, I think, since CORS functionality can be obtained by specifying a custom header.
