mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.

<tr>
  <th>What is {x} {op} {y}?</th><td>
    <input name="captcha_challenge" type="hidden" value="{challenge}">
    <input name="captcha_reply" pattern="[0-9]+" required type="number">
  </td></tr>