Deduplicate security headers

[sadiqkhoja]

• currently security headers are defined in common-headers.conf and in the enketo location block in main conf file. This commit introduces $enketo variable, whose value is set to true in enketo location block and using this variable in common-headers to decide which CSP policy should be applied if it is enketo or otherwise.
• Added tests to ensure that all paths have correct CSP headers.

Before submitting this PR, please make sure you have:

• branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
• verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

[alxndrsn]

It would be great to hear more about the motivation for this change. I think testing the CSP headers is a great idea, but I don't yet see the value in moving the enketo policy alongside the central-frontend policy - there is no technical reason why they should share any common policy.

[sadiqkhoja]

I don't yet see the value in moving the enketo policy alongside the central-frontend policy - there is no technical reason why they should share any common policy.

My motivation for this PR is to have following headers in one place, currently there are in two places i.e. odk.conf.template and common-headers.conf with the expectation that both should be modified in tandem:

add_header Referrer-Policy same-origin;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;

[alxndrsn]

with the expectation that both should be modified in tandem

Good point.

Maybe there should be two files, e.g. global-headers.conf and central-frontend-headers.conf?

If there's a way of eliminating the separate files, that might also make life simpler.

[alxndrsn]

I think recent changes have resolved the concerns this PR was addressing.