gateway: introduce content-security-policy for all responses

Signed-off-by: Younes Khoudli <[email protected]>

Author: Khoyo

gateway/src/main.rs

@@ -86,7 +86,13 @@ async fn main() -> std::io::Result<()> {
             actix_cors::Cors::default()
         };
 
+        let default_headers = actix_web::middleware::DefaultHeaders::new().add((
+            "Content-Security-Policy",
+            "default-src 'self'; connect-src 'self' https://icons.app.sbb.ch; frame-ancestors 'self'; form-action 'self'; img-src 'self' data:; font-src 'self' https://cdn.app.sbb.ch/fonts/ data:; style-src 'self' 'unsafe-inline';",
+        ));
+
         let mut app = App::new()
+            .wrap(default_headers)
             .wrap(cors)
             .wrap(RequestTracing::new())
             .wrap(Compress::default()) // enable compress