feat: security response headers #4925
Description
Is your feature request related to a problem? Please describe.
The application does not include critical security response headers such as HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Content-Security-Policy. This leaves the application potentially vulnerable to various security threats, including clickjacking, MIME type sniffing attacks, and cross-site scripting (XSS) attacks. Since our deployment is done through Helm charts and we can't set these headers on the ALB, we need a way to implement these headers within the application itself.
Describe the solution you'd like
It'd be great to have the following security response headers in the application through some middleware:
- HSTS (HTTP Strict Transport Security)
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Content-Security-Policy
These headers should be toggleable using environment variables for production deployments. This will allow us to easily enable or disable specific headers as needed without modifying the application code.
The implementation should include:
- A mechanism to set these headers in the application's HTTP responses.
- Environment variables for each header to enable/disable them (e.g., ENABLE_HSTS, ENABLE_X_FRAME_OPTIONS, etc.).
- Default values for each header when enabled (e.g., X-Frame-Options: DENY).
- Optional environment variables to customize header values where applicable (e.g., HSTS_MAX_AGE, CSP_POLICY).
Describe alternatives you've considered
Setting headers at the reverse proxy level: This is not feasible due to our Helm chart deployment and inability to set these on the ALB.