Adds some security headers

[joseftw]

Adds Referrer-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers

[Tratcher]

Spec references?

[joseftw]

Referrer-Policy: https://www.w3.org/TR/referrer-policy/ X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options X-Frame-Options: https://www.w3.org/TR/UISecurity/ X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Sorry for some mozilla links but could not find any w3 links.

[Tratcher]

@blowdart

[blowdart]

X- headers aren't real specs, so I'm on the fence about these, no matter how well used they are.

There are nuget packages such as nwebsec which adds support for these in a much nicer manner, rather than expecting people to do it all manually.

[Eilon]

@Tratcher / @blowdart - any further action planned on this PR?

[blowdart]

It could be useful, I have no strong feelings.

[Tratcher]

Yeah, it's not clear that adding only the header names is much value. If there were also APIs associated with these it would make more sense.

E.g. Referrer-Policy is not much use without it's list of possible values: "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url" X-Content-Type-Options has only one defined value "nosniff". X-Frame-Options and X-XSS-Protection both have some structure to them and you'd want some formatters.

[muratg]

We’re closing this PR because we don’t feel that this change is a good fit for the product at this time.

We thank you for the contribution and look forward to collaborating more in the future.