Comment 3 for bug 1717321

OK, current plan, ssl settings can be done in another bug or something

add the following headers statically to all roles (particular location depends on what the role uses as a web server/proxy). It could go into haproxy, apache or nginx configs, depending on the role/subproject. Particular header content will differ only for the content security policy and even then, only really for horizon. the XSS and Content-Type-Options header will be the same for all requests (haven't seen them ever break something).

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' https: wss:;";

The following header will be defaulted to on but will be able to be disabled for those that want to embed the something within an iframe. ONLY horizon will be able to disable it as it is the only service that is iframe-embedable.

add_header X-Frame-Options DENY;

For horizon, the CSP header value that allows the web console to work requires us to know the value of the web console domain/ip/url (see the example.com part below).

add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; child-src 'self' https://example.com:6080;";

For nginx configs we can set something like the following to ensure DNS uses a trusted source, not sure if this will require a new var or if one exists. I'll look for comparable values for apache and haproxy.

resolver 1.2.3.4;
resolver_timeout 5s;