Secure the ExpressJS middleware

[damianperera]

Secure and harden the ExpressJS middleware. Third-party modules can be used. The following security features need to be covered.

• Content-Security-Policy header for Cross-Site Scripting (XSS) attacks
• Expect-CT header for Certificate Transparency
• X-DNS-Prefetch-Control header to control browser DNS prefetching
• X-Frame-Options header to prevent clickjacking attacks
• Remove the X-Powered-By header to prevent hackers from exploiting vulnerabilities in Express and Node
• Public-Key-Pins header to prevent person-in-the-middle attacks
• X-Download-Options header to prevent IE from opening untrusted HTML files
• Cache-Control, Surrogate-Control, Pragma and Expires headers to prevent users from getting cached versions of your files
• X-Content-Type-Options header to prevent browsers from trying to guess the MIME type, which can have security implications
• Referrer-Policy header to prevent knowing where a user is referred from
• X-XSS-Protection header to prevent reflected XSS attacks