configs: add security headers

For more information, see https://securityheaders.com/?q=fic.srs.epita.fr&hide=on&followRedirects=on

configs/nginx-demo.conf

@@ -25,6 +25,12 @@ server {
         error_page 500 502 504 /e500.html;
 
         add_header Strict-Transport-Security max-age=31536000;
+        add_header X-Frame-Options deny;
+	add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
+	add_header X-Xss-Protection "1; mode=block";
+	add_header X-Content-Type-Options nosniff;
+	add_header Referrer-Policy strict-origin;
+	add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
 
         location = / {
             include fic-auth.conf;

configs/nginx-prod.conf

@@ -29,6 +29,12 @@ server {
         error_page 500 502 504 /e500.html;
 
         add_header Strict-Transport-Security max-age=31536000;
+        add_header X-Frame-Options deny;
+	add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
+	add_header X-Xss-Protection "1; mode=block";
+	add_header X-Content-Type-Options nosniff;
+	add_header Referrer-Policy strict-origin;
+	add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
 
         location = / {
             include fic-auth.conf;