1. Drop API support for GET, DELETE requests with a request body.
Healthchecks had an undocumented quirk where you could authenticate a
GET or DELETE request by putting a '{"api_key":"..."}' in request body.
This commit removes this feature.

Note: POST requests can still authenticate either by sending
a X-Api-Key header, or by putting a "api_key" key in request body.
GET and DELETE requests can now only authenticate with the
request header.

2. Add missing @csrf_exempt annotations in API views
When client sends a HTTP POST request to a GET-only endpoint,
the server is supposed to respond with "405 Method Not Allowed".
Due to CSRF checking, a couple endpoints were responding with
"403 Forbidden" instead. Adding @csrf_exempt annotations fixes
the problem.

In a project with ~300 checks,

* HTML size (uncompressed) before: 772KiB
* HTML size (uncompressed) after: 703KiB

In SMS, Signal and WhatsApp forms, reject the form if
user unchecks both "alert when check goes DOWN" and
"alert when check goes UP".

Use data folder otherwise a second volume is created that becomes orphaned after a docker-compose down.

cc: #552

cc: #552

cc: #547

Fixes: #77

This commit adds a {% absolute_site_logo_url %} template tag.
The tag emits an absolute url pointing to either
SITE_LOGO_URL or to the fallback picture.

The tag is used in base email template, in slack message
template, and in "Add MS Teams" page.

This commit also fixes a couple instances where absolute URLs
were constructed like so:

    {% site_root %}/docs/

This would result in incorrect links if Healthchecks is not
running at webserver's root. The correct way is:

    {% site_root %}{% url 'hc-docs' %}

Finally, this commit removes stuff/logo.svg and
stuff/logo-full.svg. Selfhosted sites should not use the
official Healthchecks.io logos, so no point keeping them around
there.

Fixes: #550

cc: #547