Bypass few common security attacks to Donut Server

[kmehant]

Possible attacks

• [x] clickjacking
• [x] XSS (reflected)
• [x] Hide technology stack (to give no information to the attacker to avoid technology stack specific attacks)
• [x] Protocol downgrade attacks
• [x] MIME sniffing
• [ ] CSRF (Will do in my next patch)
  • [x] Cache control: do not store any
• [x] Policies
  • [x] set cross domain policies
  • [x] Content security policy
• [x] Privacy Issues
  • [x] referrer policy (privacy issue)
  • [x] DNS prefetch (privacy issue)
• [x] rate limit few endpoints such as login (bypass bruteforce attacks) => Used Dynamic block duration technique with Fibonaccically increasing delayes for wrong attempts to effectively arrest brute force attacks.

[kmehant]

@jaskiratsingh2000 @vaibhavdaren @devesh-verma I am working on these!

[kmehant]

We shall add similar fixes to the Donut Frontend too using Nginx

[Rupeshiya]

@kmehant One major attack that can easily exploit the server is DOS attack, So if possible please prevent that. (https://github.com/codeuino/social-platform-donut-backend/pull/146#discussion_r454396965)