Security headers

config/application.rb

@@ -29,7 +29,10 @@ module StandardNotes
     }
 
     SecureHeaders::Configuration.default do |config|
-      config.x_frame_options = "ALLOWALL"
+      config.x_frame_options = "SAMEORIGIN"
+      config.x_content_type_options = "nosniff"
+      config.x_xss_protection = "1; mode=block"
+      config.hsts = "max-age=#{1.week.to_i}"
       config.csp = {
         # "meta" values. these will shape the header, but the values are not included in the header.
          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.