Missing Security Headers

[ASPactores]

Context

The current DurianPy website has been flagged for missing essential HTTP security headers. These headers are critical for protecting our users from cross-site scripting (XSS), clickjacking, and other common web vulnerabilities. Additionally, the X-Powered-By header is currently visible, which leaks technology stack information to potential attackers.

Task

Serve strict HTTP security headers with every response so that we can improve our security posture.

• Implement Strict-Transport-Security (HSTS) with a max-age of at least 1 year (31536000 seconds) and includeSubDomains.
• Implement a comprehensive Content-Security-Policy (CSP) that restricts script and style sources to trusted origins (self and trusted CDN only).
• Implement X-Frame-Options set to SAMEORIGIN to prevent clickjacking.
• Implement X-Content-Type-Options set to nosniff.
• Implement Referrer-Policy set to strict-origin-when-cross-origin.
• Implement Permissions-Policy to disable access to all browser features (e.g., camera, microphone, geolocation) since we don't need these for now.
• Headers must be configured within next.config.ts to ensure they are applied globally.

Hint
Refer to the official documentation for implementation details: https://nextjs.org/docs/app/api-reference/config/next-config-js/headers

[seangaaab]

Taken by: Group 6: Navares, Natividad, Jayme