Launchpad HTTP headers security improvement

[Aldekein]

Some HTTP headers required for security are not set on https://launchpad.ethereum.org/ With a carefully crafted combination of stylesheets, iframes, and text boxes on a phishing webpage, a user can be led to believe they are interacting with a real launchpad website, but are instead typing into an invisible frame controlled by the attacker.

Proposed fix

As described in greater detail in OWASP project (https://owasp.org/www-project-secure-headers/) the website security will benefit from instructing browser by adding following headers to responses at https://launchpad.ethereum.org/:

X-Frame-Options:  SAMEORIGIN
Content-Security-Policy: frame-ancestors 'none'
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: origin-when-cross-origin
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15768000;includeSubdomains

Additional notes:

1. The proposed Content-Security-Policy header is a minimal required version, it may benefit from more precise tuning based on specifics of Launchpad.
2. Strict-Transport-Security header is already present, but it does not include includeSubdomains flag.

[Aldekein]

@hwwhww @CarlBeek could you help with this or point me to a person who can?

[CarlBeek]

Thanks for bringing this to my attention and I apologies for the delayed response. I have raised this issue with devops internally so we should get this sorted ASAP.

[samajammin]

Not sure if this would fix all issues but here's the Netlify configuration we did for HTTP response headers on ethereum.org: https://github.com/ethereum/ethereum-org-website/pull/744