MAF-005: [MODERATE] Missing / incorrect security headers

[Floppy]

Important security headers are missing or misconfigured.

Technical description:

The application lacks essential security headers or has these misconfigured:

• X-XSS-Protection is set to 0
• The CSP header is minimal (frame-ancestors 'self')
• Lack of Strict-Transport-Security header
• Missing Permissions-Policy

Impact:

Missing or misconfigured security headers might expose the application to XSS attacks, clickjacking, and other security risks.

Recommendation:

• Remove the obsolete X-XSS-Protection header and rely on modern browser built-in XSS protection such as CSP. NOTE: this is just set to 0 by default by Rails for legacy clients.
• Enhance the CSP header to restrict content sources and prevent unauthorized access, e.g. adding script-src, object-src and require-trusted-types-for. Add Content-Security-Policy to increase security #2287
• Implement the Strict-Transport-Security header to enforce secure connections. Add HTTPS_ONLY env option to force secure-only connections #2275
• Add the Permissions-Policy header to control which browser features can be used and by which origins.

[Floppy]

Ignoring Permissions-Policy as there seems to be no way yet to ban all browser features and whitelist the ones we actually want. Of which, at the moment, there aren't any, so we'd have to ban everything and keep the list up to date, which seems impractical. See w3c/webappsec-permissions-policy#189

[Floppy]

require-trusted-types-for is still experimental, so we'll leave that out for now as well.