Add and briefly configure secure headers

Gemfile

@@ -21,6 +21,7 @@ gem 'rails', '~> 6.0.0'
 gem 'redis'
 gem 'rest-client', require: false
 gem 'sass-rails', '~> 6.0'
+gem 'secure_headers'
 gem 'webpacker'
 
 # Use Active Storage variant

Gemfile.lock

@@ -286,6 +286,7 @@ GEM
       sprockets (> 3.0)
       sprockets-rails
       tilt
+    secure_headers (6.1.1)
     selenium-webdriver (3.142.6)
       childprocess (>= 0.5, < 4.0)
       rubyzip (>= 1.2.2)
@@ -369,6 +370,7 @@ DEPENDENCIES
   rubocop-rails
   rubocop-rspec
   sass-rails (~> 6.0)
+  secure_headers
   selenium-webdriver
   shoulda-matchers
   simplecov

config/initializers/secure_headers.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+# rubocop:disable Style/PercentLiteralDelimiters,Lint/PercentStringArray
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: SecureHeaders::OPT_OUT, # mark all cookies as "Secure"
+    httponly: SecureHeaders::OPT_OUT, # mark all cookies as "HttpOnly"
+    samesite: {
+      lax: true, # mark all cookies as SameSite=lax
+    },
+  }
+  config.csp = {
+    # FIXME: only enable localhost for development
+    default_src: %w('self' http://localhost:3000 ws://localhost:3035 http://localhost:3035),
+
+    # FIXME: only enable unsafe-* for development
+    script_src: %w('self' 'unsafe-eval' 'unsafe-inline'),
+  }
+end
+
+# SecureHeaders::Configuration.default do |config|
+#  config.cookies = {
+#    secure: SecureHeaders::OPT_OUT, # mark all cookies as "Secure"
+#    httponly: SecureHeaders::OPT_OUT, # mark all cookies as "HttpOnly"
+#    samesite: {
+#      lax: true, # mark all cookies as SameSite=lax
+#    },
+#  }
+#  # Add "; preload" and submit the site to hstspreload.org for best protection.
+#  config.hsts = "max-age=#{1.week.to_i}"
+#  config.x_frame_options = 'DENY'
+#  config.x_content_type_options = 'nosniff'
+#  config.x_xss_protection = '1; mode=block'
+#  config.x_download_options = 'noopen'
+#  config.x_permitted_cross_domain_policies = 'none'
+#  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
+#  config.csp = {
+#    # "meta" values. these will shape the header, but the values are not included in the header.
+#    # preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+#    # disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.
+
+#    # directive values: these values will directly translate into source directives
+#    # default_src: %w('none'),
+
+#    # FIXME: only enable localhost for development
+#    default_src: %w('self' http://localhost:3000 ws://localhost:3035 http://localhost:3035),
+
+#    # FIXME: only enable unsafe-* for development
+#    script_src: %w('self' 'unsafe-eval' 'unsafe-inline'),
+
+#    base_uri: %w('self'),
+#    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
+#    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
+#    connect_src: %w(wss:),
+#    font_src: %w('self' data:),
+#    form_action: %w('self'),
+#    frame_ancestors: %w('none'),
+#    img_src: %w('self' data:),
+#    manifest_src: %w('self'),
+#    media_src: %w(),
+#    object_src: %w('self'),
+#    sandbox: true, # true and [] will set a maximally restrictive setting
+#    plugin_types: %w(),
+#    # script_src: %w('self'),
+#    style_src: %w('self' 'unsafe-inline'),
+#    worker_src: %w('self'),
+#    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
+#    report_uri: %w(),
+#  }
+#  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
+#  # config.csp_report_only = config.csp.merge(
+#  #  img_src: %w(),
+#  #  report_uri: %w(),
+#  # )
+# end