Add HTTP security headers to nginx reverse proxy config (#914)

apps/server/AliasVault.Client/nginx.conf

@@ -6,6 +6,11 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
+    # Add MIME type mapping for JavaScript modules
+    types {
+        application/javascript mjs;
+    }
+
     # Gzip Settings
     gzip on;
     gzip_vary on;

apps/server/nginx.conf

@@ -66,6 +66,13 @@ http {
         # by the entrypoint script.
         include /etc/nginx/ssl.conf;
 
+        # Security headers
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
+        add_header Content-Security-Policy "frame-ancestors 'self'" always;
+
         # Admin interface
         location /admin {
             proxy_pass http://admin;