watchd: tighten secondary check validation

- judge blocks record as neutral (judge_block category), not success;
  evaluate() filters them out so they affect neither pass nor fail count
- require HTTP/1.x response line for non-IRC checks; non-HTTP garbage
  (captive portals, proxy error pages) fails immediately
- add is_public_ip() rejecting RFC 1918, loopback, link-local, and
  multicast ranges from judge exit IP extraction
- remove 5 weak HEAD regex targets whose fingerprint headers appear on
  error pages and captive portals (p3p, X-XSS-Protection,
  x-frame-options, referrer-policy, X-UA-Compatible)

stats.py

@@ -107,11 +107,9 @@ regexes = {
     'www.twitter.com': 'x-connection-hash',
     't.co': 'x-connection-hash',
     'www.msn.com': 'x-aspnetmvc-version',
-    'www.bing.com': 'p3p',
     'www.ask.com': 'x-served-by',
     'www.hotmail.com': 'x-msedge-ref',
     'www.bbc.co.uk': 'x-bbc-edge-cache-status',
-    'www.skype.com': 'X-XSS-Protection',
     'www.alibaba.com': 'object-status',
     'www.mozilla.org': 'cf-ray',
     'www.cloudflare.com': 'cf-ray',
@@ -121,7 +119,6 @@ regexes = {
     'www.netflix.com': 'X-Netflix.proxy.execution-time',
     'www.amazon.de': 'x-amz-cf-id',
     'www.reuters.com': 'x-amz-cf-id',
-    'www.ikea.com': 'x-frame-options',
     'www.twitpic.com': 'timing-allow-origin',
     'www.digg.com': 'cf-request-id',
     'www.wikia.com': 'x-served-by',
@@ -133,8 +130,6 @@ regexes = {
     'www.yelp.com': 'x-timer',
     'www.ebay.com': 'x-envoy-upstream-service-time',
     'www.wikihow.com': 'x-c',
-    'www.archive.org': 'referrer-policy',
-    'www.pandora.tv': 'X-UA-Compatible',
     'www.w3.org': 'x-backend',
     'www.time.com': 'x-amz-cf-pop'
 }