feat: Add security response headers

gandalf_automationrequested to merge
add-response-headers into develop

Summary

  • Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to all responses from blog and wallet apps
  • Add documentation for nginx configuration to avoid header conflicts

Details

These headers provide defense-in-depth protection:

  • X-Content-Type-Options: nosniff - prevents MIME-sniffing attacks
  • X-Frame-Options: SAMEORIGIN - prevents clickjacking
  • Referrer-Policy: strict-origin-when-cross-origin - controls referrer leakage
  • Permissions-Policy - disables unused browser features (camera, microphone, geolocation)

CSP is intentionally not included yet - it will be added separately after proper testing with Report-Only mode.

Files Changed

  • apps/blog/next.config.js - added security headers
  • apps/wallet/next.config.js - added security headers
  • docs/security-headers.md - nginx configuration guidance

Test Plan

  • Deploy to staging
  • Verify headers with curl -I https://staging-url/trending
  • Confirm no duplicate headers
  • Test blog and wallet functionality works normally
  • Test with Hive Keychain extension

Merge request reports