[Cashtab] Add useful security headers
Summary:
T3395
Cashtab would benefit from some more strict security headers.
Strict-Transport-Security - allows only https
X-Frame-Options "DENY" -- prevent cashtab appearing in a frame, prevent clickjacking attacks
X-Content-Type-Options -- ref https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
Referrer-Policy -- only showthe origin, for example we don't want to pass URL referrer info if it had tx params
Permissions-Policy -- do not allow camera use from another site
Also will add a CSP header, but this one is more complicated and risks breaking things -- so should be handled separately
Test Plan:
cd web/cashtab docker build -t cashtab_local . docker run --rm -p 8080:80 --name cashtab cashtab_local
In another terminal,
curl -I http://localhost:8080
Confirm output includes added headers
Reviewers: #bitcoin_abc, Fabien
Reviewed By: #bitcoin_abc, Fabien
Differential Revision: https://reviews.bitcoinabc.org/D15102