added security headers inside production/proxy-nginx.conf to avoid cl…

[atharv2-git]

Base Branch: 9.x

Note: This PR is made to doubtfire-lms/doubtfire-deploy as an upstream contribution after peer review, AppAttack security verification, and mentor approval.

Description

This PR adds security headers to the production reverse proxy configuration (proxy-nginx.conf) to mitigate Clickjacking and potential XSS vulnerabilities across all Doubtfire services.

• These headers are enforced at the outer proxy level to ensure a consistent and centralized security model for upstream services like doubtfire-web.
• The patch aligns with recommendations from the AppAttack x OnTrack security audit and modern web security best practices.

The corresponding inner doubtfire-web service PR is available at:
🔗 doubtfire-lms/doubtfire-web#946

Headers Added

• X-Frame-Options: DENY
• Content-Security-Policy: default-src 'self', and frame-ancestors 'none'

Both headers prevent the application from being embedded in <iframe> tags, effectively blocking clickjacking attempts.

What was changed

• Modified file: production/shared-files/proxy-nginx.conf
• Added security headers to HTTP response block to be applied globally at reverse proxy layer.

Fixes: Clickjacking vulnerability reported by AppAttack using <iframe> injection methods.

Reference PRs

• Related web-level changes: doubtfire-lms/doubtfire-web#946
• Original peer-reviewed PR: thoth-tech/doubtfire-deploy PR
• Background documentation: Fix ClickJacking Vulnerability Documentation

Testing Summary

• Verified that all production responses now include the expected security headers.
  • X-Frame-Options: DENY
  • Content-Security-Policy: default-src 'self', and frame-ancestors 'none'
• Confirmed with browser DevTools that headers are applied globally and cannot be overridden downstream.
• Peer review and attack simulation by AppAttack confirmed that malicious framing attempts are blocked.
• Security validation approved by:
  • @ibi420 - confirmed header propagation and patch success
  • @lachlan-robinson - verified redundant defense and correct config
  • @DarrylO21 (AppAttack Lead) - validated real-world attack prevention
  • @theiris6 - verified production readiness
  • @aNebula - approved upstream PR after mentor review

Checklist

• Headers added only to proxy-nginx.conf (no unrelated changes)
• Forked cleanly from 9.x branch
• All requested changes and reviews completed
• Upstream web PR cross-linked

[b0ink]

This change on its own won't be compatible with the new LTI features, as we need OnTrack to be embedded in sites like Moodle, which is done using an iframe.

We could potentially whitelist permitted domains using this...

add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self' https://moodle.example.edu;" always;