Implement global security headers and CSP - Fix of #93PR

[sabdosh]

Description-
This fix addresses missing HTTP security headers in Doubtfire API responses. Previously, API responses did not consistently include important browser-side protections such as Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The absence of these headers increased exposure to risks such as clickjacking, MIME sniffing, cross-site scripting (XSS), and unnecessary browser feature access.

Changes made
doubtfire-api/config/application.rb

Added global security headers using Rails default headers configuration so all API responses automatically include them:

• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• Referrer-Policy: no-referrer
• Permissions-Policy: geolocation=(), camera=(), microphone=()
• Content-Security-Policy: default-src 'self';

This approach ensures headers are applied consistently across all controllers and API endpoints without modifying individual routes.

Fixes: Missing Security Headers issue

How Has This Been Tested?
The fix was verified locally using curl and Burp Suite against the Rails API running on localhost:3000.

Test 1 — curl header validation

Sent request to:

GET /api/units/1/all_resources

Confirmed response now includes:

• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy
• Content-Security-Policy

Command used:

curl -I http://localhost:3000/api/units/1/all_resources

Test 2 — Burp Suite validation

Captured API response using Burp Suite Proxy.

Confirmed:
Security headers are present in all responses
Headers match expected secure configuration
No missing header issues observed

Impact
This fix strengthens the application’s security posture by enforcing standard HTTP security headers aligned with OWASP best practices, reducing exposure to common web-based attacks.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My changes generate no new warnings
• I have tested the fix locally
• New and existing functionality still loads correctly

[AjayPAnand]

Tested the fix locally by checking out PR #97 and running:

curl -I http://localhost:3000/api/units/1/all_resources

Confirmed that the required security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy) are now present in the API response. The fix is working as expected.

Screenshot from the BurpSuite analysis

[224599437]

Reviewed and Tested – Working as Expected
I pulled and ran this branch locally and verified the security headers are now present in all API responses using curl and Burp Suite against localhost:3000.
Test Results:
Ran the following command:
curl -I http://localhost:3000/api/units/1/all_resources

Confirmed all five security headers are present in the response:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), camera=(), microphone=()
Content-Security-Policy: default-src 'self'

Code Review:

Headers are applied globally via config/application.rb using Rails' default headers configuration — clean approach that avoids duplicating logic across individual controllers
Mitigates clickjacking, MIME sniffing, XSS, and unnecessary browser feature access
No breaking changes to existing API behaviour