Comment 9 for bug 1717321

Submitter: Zuul
Branch: stable/pike

commit bb64d2bd4309b1e538f88725b29dde659d3ecd2b
Author: Matthew Thode <email address hidden>
Date: Mon Sep 25 11:08:21 2017 -0500

    Add security headers to web accessable services.

    Adds the following headers as static:

        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        append Content-Security-Policy "default-src 'self' https: wss:;"

    nosniff prevents non-executable mime times from becoming executable.
    The X-XSS-Protection header will prevent the loading of a page if the
    browser detects an xss attack. The Content-Security-Policy declares
    what dynamic resources are allowed to load.

    Adds the following header as user-setable via the
    keystone_x_frame_options variable.

        X-Frame-Options "DENY"

    By default the X-Frame-Options header denies embedding in an iframe.

    Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
    Partial-Bug: 1717321
    (cherry picked from commit 81a28142a065e07f16756b1bc4cfb68a98e0a2e9)