Default content-type on verification responses

As implemented, the verification response handler uses content-type of `application/x-www-form-urlencoded` if there's no `Accept:` header provided (or the `Accept:` header doesn't specify a supported content-type); however the IndieAuth spec only states that the verification response should be a JSON object. So it seems that the default content-type in the response should be `application/json`.