Feature/security headers middleware

[mijinummi]

Security Headers Middleware for Enhanced Protection (#327)

Overview

This PR introduces middleware to enforce security headers across all API responses, protecting against common web vulnerabilities.

Changes

• Added SecurityHeadersMiddleware to set headers:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Strict-Transport-Security (production only)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: disable geolocation, camera, microphone, etc.
  • X-DNS-Prefetch-Control: off
• Removed sensitive headers (X-Powered-By, Server, etc.)
• Configured cache control per content type (dynamic, static, private)
• Added .well-known/security.txt endpoint
• Registered middleware globally in AppModule

Acceptance Criteria Met

• ✅ All security headers present
• ✅ No sensitive headers leaked
• ✅ HSTS enforced in production
• ✅ Clickjacking prevented
• ✅ MIME sniffing blocked
• ✅ Cache control headers appropriate
• ✅ Security scanners show no vulnerabilities

Next Steps

• Add monitoring for header compliance
• Integrate automated security scans in CI/CD
• Extend Permissions-Policy as new browser APIs emerge
  Closes Security Headers Middleware for Enhanced Protection #327

[drips-wave]

@mijinummi Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits