Added headers to avoid ClickJacking and XSS attacks

[atharv02-git]

Base Repository: 8.0.x

Description

• This PR addresses Clickjacking and potential XSS vulnerabilities by adding appropriate security headers to the proxy-nginx.conf file used in production. These headers are now enforced at the outer reverse proxy layer (doubtfire-deploy) to ensure consistent protection across all services.
• The changes follow recommendations from the AppAttack x OnTrack vulnerability report and align with security best practices for modern web applications.

Note

Kindly go through the attached documentation first inorder to understand what this fix is about in detail and how it can be tested.

What was changed:

• Modified: production/shared-files/proxy-nginx.conf

Fixes # (Clickjacking vulnerability (AppAttack finding))

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

How Has This Been Tested?

• Used browser DevTools to inspect headers returned for application responses
• Yet to test Clickjacking Prevention in a Malicious <Iframe> Setup as listed in the report.

Testing Checklist:

• Tested in latest Chrome
• Needs to be tested inside a dedicated environment like kali linux inside a virtual box.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have requested a review from @ibi420

Note: This PR should be merged in sync with the corresponding PR in doubtfire-web where redundant headers are commented out to prevent override.